/Management/Groups permissions
Use this object to manage groups and group membership.
Attribute Permission Description d delete Delete a group. m modify Modify group descriptions. Remove one or more user members of a group. N create Create a group. Import group data from the user registry. The user create command, which create new users and places them in existing groups, requires the N permission, v view List groups and show group details. A add Add one or more users to a group. For the ability to add existing users set this attribute in your ACL group entry.
The capability of adding existing users to your group is powerful because the owner of a group has control over all user members of the group. If you, as the owner of the group, also have the delete (d) permission, we can delete this user from the entire domain.
The ability for an administrator to manage all groups is controlled by permissions on the /Management/Groups object. For example, if an administrator has delete (d) permission on the /Management/Groups object, that administrator can delete any group.
To limit the scope of administrator control to a specific group, apply permissions to the object associated with the group. For example, if an administrator is given delete (d) permission on the /Management/Groups/Travel/Europe object, that administrator can delete any group within that object.
Permissions on /Management/Groups objects affect the ability of an administrator to manage users who are part of those groups. Giving an administrator delete (d) permission on a group allows that administrator to delete a user who is a member of the group. If an administrator has view (v) permission on a group, that administrator can view information about the users that are part of those groups.
Parent topic: /Management permissions