Professorallow security group definitions
At this time, it is impossible to use groups effectively within an organization because they serve different purposes and those purposes cannot coexist.
When you use groups for organizational reasons and you also want to use other groups for security, if those groups overlap then the security purpose fails unless the role assigned to the security group also has equivalent access to ALL other groups containing the device.
A simple example we run into is defining Location groups to avoid needing to repeat the location property umpteen times. If a device is placed in that group and also a group intended to grant 'manage' access to devices in that group only (e.g., "Voice Servers"), the access fails since that device is also in Location-XXX, which is not granted 'manage'. Having to grant that group 'manage' means you may as well just give everyone that role on everything.
My recommendation is to add an option for groups to indicate they are used only for security purposes, then the other group types are ignored during role evaluation. There are other means of doing this, but one that will not fly is the one I was told to use (manually assign the location property to each and every device and define dynamic groups from that). The only way that makes sense is if we can bind property groups to devices (I posted that FR a while back). Bottom line is, we are unable to grant permissions to different device groups within an organization to isolate access as needed in any multi-admin team structure. All we can do is grant manage to everyone and hope they don't clobber something they should not.
