Hi guys,
I imagine this is a commonly asked question with a very simple answer but I can't find any other related discussions...
I have three groups...
'Administrators'
'Admin Group'
'Standard Users'
The 'Administrators' group has our 'administrator' user, a super user with access to everything.
The 'Admin Group' is a group of users I want to grant basic admin rights (create user, change password, enable/disable user, delete user) to. These users should only be able to create/manage users in the 'Standard Users' group.
The 'Standard Users' group is a-ok.
So.... can someone tell me how to assign the following rights to our 'Admin Group'?
I want them to be able to:
1. Login to CMC.
2. Click 'Users and Groups'.
3. Edit existing users (enable/disable users, change password).
4. Create new users and assign them to the 'Standard Users' group.
And that is all. I don't need them to be able to do anything else. Just create and manage users in the 'Standard Users' group.
====
What I've tried so far:
I have created an 'Access Level' called 'Admin Group Access Level'.
I right-click the access level and go to Included Rights > Add/Remove Rights and have GRANTED the following (everything else left at Non-Specified):
Application > CMC > General Rights for CMC > 'Log on to the CMC and view this object in the CMC'
System > User > 'Add objects to the folder' ... This, I presume will allow users with this access level to create users in any principal they are assigned to.
System > User > 'Change user password' ... I assume this will allow users to change the password of users in any principal they are assigned to.
System > User > 'Delete objects' ... Delete users
System > User > 'Edit Objects'
System > User Group > 'Add objects to the folder' ... I assume this will allow users of 'Admin Group' to add users to a group.
Click 'OK' and then:
User Security > Add Principal > Groups and move 'Admin Group' across.
Click 'Add and Assign Security' and move 'Admin Group Access Level' from 'Available Access Levels' to 'Assigned Access Levels' and click 'OK'.
Now, 'Admin Group Access Level' has 3 principles assigned to it:
'Administrators' >> I 'Remove Access' so that it has no inheritance from administrators group
'Admin Group' >> I click 'Assign Security' and add 'Admin Group Access Level'
'Everyone' >> I 'Remove Access' so that it has no inheritance from everyone group.
Click OK and CLOSE.
Now! I've probably broken the whole thing as my user 'administrator' is now unable to do anything more to this group as, I presume, I've removed access to all this from the 'Administrators' group.
===
Any help would be greatly appreciated... please forgive my complete lack of knowledge.
Regards,
Kahli.