Currently, a role can either manage all roles, or view specific ones in groups. It would be nice to give a role the ability to manage/create roles in a specific role group but not all groups. We have a set of users that need the ability to create roles for customers but we don't want that set of users to alter other roles in groups outside of the ones dedicated to customers.
NeophyteWe *kind* of have this about to go.. Each customer is a AD group, each AD groups maps to a role, add customers into x AD group, send AD group as a claim rule via SAML
Amen to that
We have a number of customers with their own groups, and they actively like to add and remove user access since they have many contractors coming in and out.
They keep hammering us with daily changes in user access.
If we could designate limited role management, that would save us a ton of admin overhead. I currently have a work around by having a server page that runs a script based on a form, per customer group which I have handed to each of them. But that is a very janky way of doing it, it doesnt look nice or OFFICIAL, plus it still has an admin level apikey stored inside the webpage code(even if its obfuscated). But even this doesnt fully cover everything despite the automation. Manual intervention is often required.
