/Management/Groups permissions
Use this object to manage groups and group membership.
| Permission | Description |
|---|---|
| d (delete) | Delete a group. |
| m (modify) | Modify group descriptions. Remove one or more user members of a group. |
| N (create) | Create a group. Import group data from the user registry. |
| v (view) | List groups and show group details. |
| A (add) | Add one or more users to a group. |
The add (A) permission is required on your entry in the ACL on a group so that you can add existing users to your group. Use the user create command, which requires the N permission, to create new users and optionally place them in one or more existing groups.
The capability of adding existing users to your group is powerful because the owner of a group has control over all user members of the group. If you, as the owner of the group, also have the delete (d) permission, you can delete this user from the entire domain.
The ability for an administrator to manage all groups is controlled by permissions on the
/Management/Groups object. For example, if an administrator has the delete
(d) permission on the /Management/Groups object, that
administrator can delete any group.
To limit the scope of administrator control to a specific group, apply permissions to the object
that is associated with the group. For example, if an administrator is given delete
(d) permission on the /Management/Groups/Travel/Europe
object, that administrator can delete any group within that object.
Permissions on /Management/Groups objects affect the ability of an administrator
to manage users who are part of those groups. Giving an administrator delete
(d) permission on a group allows that administrator to delete a user who is a
member of the group. If an administrator has view (v) permission on a group,
that administrator can view information about the users that are part of those groups.