User and group access entitlements

Edit online

The permissions to manage users and groups are split into separate user and group entitlements. When you view or edit a group in the UI to search for the members, the following group entitlements cannot access group members on their own. They require an extra user entitlement.

  • readGroupMembers and manageGroupMembers require readUsersGroupMembership or an entitlement with higher-level access such as manageUsers, which also implies readUsersGroupMembership.
  • readStandardGroupMembers and manageStandardGroupMembers require readUsersStandardGroupMembership or an entitlement with higher-level access such as manageUsersInStandardGroups, which also implies readUsersStandardGroupMembership.
  • updateAnyGroupMember requires readStandardGroupMembers, or readGroupMembers, or an entitlement with higher-level access for group members access. It also requires readUsersGroupMembership or an entitlement with higher-level access such as manageUsers, which implies readUsersGroupMembership, for users and group membership access.

Extra permission requirements for functions

  • Advanced Search requires readAttributes. To take fuller advantage of the advanced search function, add readIdentitySources.
  • User information requires readAttributes.
  • Add user requires readIdentitySources and readAttributes.
  • Edit user requires readAttributes.
  • Edit security settings requires readPwdPolicy.

Additions permission requirements for group functions

  • Edit assigned password policy requires readPwdPolicy.

For a list of entitlements, see Access entitlements.