Restrict ability to edit / add users to groups

Go to solution
mcconnellsj
Kilo Sage

‎11-26-2019 02:29 PM

Users with itil role have the ability to amend user groups and their members.

We want to restrict this ability to a certain group of itil users.

We have too many users with itil role perhaps, and need to fix that, however need this restriction in the interim.

What is the easiest way to acheive this?

S.

Labels:
0 Helpfuls
  • 2,739 Views
1 ACCEPTED SOLUTION

Go to solution
Tony Chatfield1
Kilo Patron

‎11-26-2019 07:16 PM

You should be able to remove the new\edit buttons by adding the new role to 'list control' new\edit roles on the list control form r\h side - you may find removing the buttons is sufficent and that you can get away without the ACL changes, but would need to test to validate this as a new user or group could still be created via 'table'.form in the menu navigator - so it depends on whether you decide instructing your users not to do it is sufficent. I would set ACL's so there is no confusion.


If changing ACL's, I normally set existing OOB records to inactive(so they can be flagged as replace on upgrade) and create (or copy) my own.

 

View solution in original post

0 Helpfuls
4 REPLIES 4

Go to solution
Tony Chatfield1
Kilo Patron

‎11-26-2019 02:50 PM

Hi, I think the easiest solution would be to add a role specificly for the porpose,
or maybe utilisean OOB role like user_admin;
But you will need to update the ACLs for sys_user_group, sys_user_grmember....

Then you can either add the role directly to your users, or via a group with the role applied to it.

Go to solution
mcconnellsj
Kilo Sage
In response to Tony Chatfield1

‎11-26-2019 03:01 PM

Thank you!

I thought as much, but hoping to avoid meddling with ACLs.

Would the new role and amended ACLs hide the "New" and "Edit" buttons on the group record?

I also want user and group to be read only, except for users of this new group.

 

0 Helpfuls

Go to solution
Tony Chatfield1
Kilo Patron

‎11-26-2019 07:16 PM

You should be able to remove the new\edit buttons by adding the new role to 'list control' new\edit roles on the list control form r\h side - you may find removing the buttons is sufficent and that you can get away without the ACL changes, but would need to test to validate this as a new user or group could still be created via 'table'.form in the menu navigator - so it depends on whether you decide instructing your users not to do it is sufficent. I would set ACL's so there is no confusion.


If changing ACL's, I normally set existing OOB records to inactive(so they can be flagged as replace on upgrade) and create (or copy) my own.

 

0 Helpfuls

Go to solution
Patrick Niessen
Giga Contributor

‎09-22-2020 12:39 AM

Removing buttons is not sufficient, as this would keep other paths open to reach the Group form.  ACL should  be the preferred method.