More role permission granularity
There needs to be more granularity around the permissions that can be assigned to roles - specifically regarding the permission grants offered for Role and User management. There needs to be alternatives to the current 'all-or-nothing' options of 'Manage all roles' and 'Manage all users' permissions.
I created a custom role with limited admin access. I need this role to be able to assign new and existing users to roles other than Participant. With the options currently available, they cannot do this unless I assign them to the Privileged role (which lacks other permissions they need and would only allow them to assign new users to other roles) or I grant them full access to role administration ('Manage all roles'). However, granting them 'Manage all roles' would grant them far too much access, including the ability to elevate their own permissions or remove mine. They also need to be able to edit attributes of existing users, but that is only currently allowed by the ‘Manage all users’. Again, this grants the user far more permission than they should have, including the ability to delete Admin users.
There needs to be a way to define a hierarchy among the roles (which includes Custom Roles). Then, an ‘Assign Roles’ permission (that has no access to create, edit, or delete roles) needs to be created that allows users assigned to that permission to manage role assignments within the following restrictions:
-The ‘Assign Roles’ user can only change role assignments for users currently assigned to a role less than or equal to the ‘Assign Roles’ user’s role. This prevents them from removing permissions from a user with more elevated access.
-The ‘Assign Roles’ user can only assign users to a role less than or equal to the ‘Assign Roles’ user’s role. This prevents them from elevating their own access.
My proposal regarding permissions for ‘Manage all users’ is very similar whereby a limited ‘Manage Users’ permission would be created that allowed users with this permission to Edit users and reset passwords for those users whose role is less than or equal to the ‘Manage Users’ role. I could even see a need to making the 'Reset user password' into a standalone permission.
Categories
- All Categories
- 1.4K Product Ideas
- 1.4K Ideas Exchange
- 1.4K Connect
- 1.1K Connectors
- 278 Workbench
- 4 Cloud Amplifier
- 4 Federated
- 2.7K Transform
- 89 SQL DataFlows
- 556 Datasets
- 2K Magic ETL
- 3.3K Visualize
- 2.3K Charting
- 571 Beast Mode
- 11 App Studio
- 27 Variables
- 579 Automate
- 141 Apps
- 414 APIs & Domo Developer
- 23 Workflows
- 1 DomoAI
- 28 Predict
- 12 Jupyter Workspaces
- 16 R & Python Tiles
- 351 Distribute
- 91 Domo Everywhere
- 258 Scheduled Reports
- 2 Software Integrations
- 92 Manage
- 89 Governance & Security
- 9 Product Release Questions
- Community Forums
- 42 Getting Started
- 28 Community Member Introductions
- 86 Community Announcements
- 4.8K Archive