More role permission granularity

Shatz Member

There needs to be more granularity around the permissions that can be assigned to roles - specifically regarding the permission grants offered for Role and User management. There needs to be alternatives to the current 'all-or-nothing' options of 'Manage all roles' and 'Manage all users' permissions.

I created a custom role with limited admin access. I need this role to be able to assign new and existing users to roles other than Participant. With the options currently available, they cannot do this unless I assign them to the Privileged role (which lacks other permissions they need and would only allow them to assign new users to other roles) or I grant them full access to role administration ('Manage all roles'). However, granting them 'Manage all roles' would grant them far too much access, including the ability to elevate their own permissions or remove mine. They also need to be able to edit attributes of existing users, but that is only currently allowed by the ‘Manage all users’. Again, this grants the user far more permission than they should have, including the ability to delete Admin users.

There needs to be a way to define a hierarchy among the roles (which includes Custom Roles). Then, an ‘Assign Roles’ permission (that has no access to create, edit, or delete roles) needs to be created that allows users assigned to that permission to manage role assignments within the following restrictions:

-The ‘Assign Roles’ user can only change role assignments for users currently assigned to a role less than or equal to the ‘Assign Roles’ user’s role. This prevents them from removing permissions from a user with more elevated access.

-The ‘Assign Roles’ user can only assign users to a role less than or equal to the ‘Assign Roles’ user’s role. This prevents them from elevating their own access.

My proposal regarding permissions for ‘Manage all users’ is very similar whereby a limited ‘Manage Users’ permission would be created that allowed users with this permission to Edit users and reset passwords for those users whose role is less than or equal to the ‘Manage Users’ role. I could even see a need to making the 'Reset user password' into a standalone permission.

4 votes

Active · Last Updated