How do I grant my Service Desk team the ability to add/remove new users but restrict their access to Groups?

smasters · ‎04-27-2022

My service desk team supports Internal Users, External Users, External Vendors which need to be added to the "caller" field when a new user is encountered. Due to the nature of our business the external users and vendors are an undefined list and will be needed 'on the fly'.
I have granted my Service Desk Users the ability to add/remove users and this works as expected with them unable to modify admin rights. However, we utilize groups for assigning permissions automatically via Azure provisioning and they now have the ability to add/remove users from groups I do not want them to be able to do.

How do I grant my Service Desk team the ability to add/remove new users but restrict their access to Groups? If there is a better way to tackle this I am up for any suggestions or feedback.

Jan Cernocky · ‎04-29-2022

Hi,

that role is really able to manage groups and group members.

So remove the role from the group and instead I would suggest to

- create a new role and assign it to 'Technical support'

- create create ACL rule for this group on sys_user table

- create write ACL rule for this group on sys_user table

- create delete ACL rule for this group on sys_user table

View solution in original post

Jan Cernocky · ‎04-27-2022

Hi,

I would need more info to this

- how did you grant the extra access? (adding built-in role, creating new role + ACL? - in this case a screenshot would be very handy)

- ability to add/remove users you actually mean create/delete user records in sys_user table?

smasters · ‎04-28-2022

The User_Admin role was added to the group "Technical Support" which allowed the add/remove users from the sys_user table.

Jan Cernocky · ‎04-29-2022

Hi,