The "root" user is only user account available after performing In-Portal installation. This user is special, because:
- it can't be deleted or disabled
- no permissions are checked for this user
Latter fact allows to perform login to Admin Console even if website access permissions were changed to the level, that no other Administrator isn't able to do so.
This is all nice and shiny, but using "root" account by default isn't the safest way to work with In-Portal. Instead the recommended approach is (but we never wrote about this anywhere) to create an Administrator account and use it instead of "root" user.
Add a banner in the Administrative Console (e.g. top frame or above every page in main frame) that:
- is shown only when "root" user is logged-in
has text similar to this: