/Management/Users permissions
Use this object to manage user accounts. Action tasks and associated permissions include:
Permission Operation d (delete) Delete a user account. m (modify) Modify the details of a user account. N (create) Create a user and optionally assign that user to one or more groups. Import group data from the user registry. v (view) List user accounts and show details for a user account. W (password) Reset and validate a user password.
The password (W) permission allows password resets. This permission is appropriate to give to help desk administrators so they can assist users who forget their passwords. This permission allows an administrator to reset the password and then to use the user modify password-valid command to set a value of no. This action allows the user to log on and then forces the user to immediately apply a new password. Setting user modify password-valid to no for a user does not indicate whether the password is not valid due to the maximum password age policy, which is a global setting. The policy set max-password-age command sets the maximum time that must elapse before a password expires.
The ability for an administrator to manage all user accounts is controlled by permissions on the /Management/Users object. For example, if an administrator has view (v) permission on the /Management/Users object, that administrator can view information about all users.
To limit the scope of administrator control to a specific group, remove the administrator permissions from the /Management/Users object. Apply permissions to the /Management/Groups object associated with the group to be managed. For example, if an administrator is given view (v) permission on the /Management/Groups/Accounting object, that administrator can view only information about users in the Accounting group.
If an administrator has view (v) permission to any group the user is a member of, the administrator can view the information for that user. Adding the view (v) permission to the /Management/Groups object itself allows an administrator to view information about any user who is a member of any group.
Access granted by the /Management/Users object overrides any access restrictions imposed by delegated administration policy ACLs under /Management/Groups/group_name. For information about delegated administration, see [delegated-admin] stanza.
Parent topic: /Management permissions