THIS IS A TEST INSTANCE. ALL YOUR CHANGES WILL BE LOST!!!!
...
In fixed versions of Ambari (2.0.2; 2.1.1 and onward), access to the user resource endpoint is protected such that only a user with administrator privileges can esculate a user's privileges. A user, however, may still access the endpoint but may only change their own password.
Fixed in Ambari
...
2.1.0
...
CVE-2015-1775: Apache Ambari Server Side Request Forgery vulnerability
...