In our environment, we allow users with project_admin role to list people in their project. If a user with an admin role is part of the project of a malicious user (maybe to help with some debugging, or an inherited role), this would allow the malicious user to know the UUID of the admin user.
In our environment, we allow users with project_admin role to list people in their project. If a user with an admin role is part of the project of a malicious user (maybe to help with some debugging, or an inherited role), this would allow the malicious user to know the UUID of the admin user.