Hi Community,
We have a requirement to prevent users with "admin" or "user_admin" roles from manually provisioning certain sensitive groups. only "security_admin" role users should able to the groups.
For example below are the 2 groups
Group A
Group B
Expected Behavior:
- If a user with "admin" or "user_admin" tries to manually assign any of the above roles/groups, the system should block the action and show a message like:
“Only users with the 'security_admin' role can provision this role/group manually.” - Users with "security_admin" should be allowed to assign these roles/groups, and the action should be logged for audit.
- ACLs should enforce restrictions on group membership changes for these sensitive groups.
