Subgroup or Role or?

hi, This should be simple and I presume I’m still unclear on these things. We’re using 4.4.2 and have a setup where users are created and assigned to a subgroup (‘orgA users’) which belongs to a group (‘orgA’. At the moment our group structure is as below:

groups:  'orgA' has 2 subgroups 'orgA_admin', 'orgA_users';

anyone in this 'orgA' family of groups has a specific orgA draft queue and published queue.

Our goal is to have a set of designated users within ‘orgA’ to manage the ‘orgA_users’ roster through the RT interface.

To do this, I’d created subgroup ‘orgA_admin’ whose users will be allowed to create new orgA user accounts and then add/remove these users to the subgroup ‘orgA_users’ as needed. However when I create an orgA_admin account and log into the RT interface, I don’t see any dashboard options allowing this despite granting ‘Modify group membership roster/AdminGroupMembership’ rights to ‘everyone, privileged’ and ‘unprivileged’

RT allows for Roles, which I thought would be even better, but based on forum searches this doesn’t seem to fit my needs (being that it’s assigned at the ticket level or queue level). I’ve tried creating roles and assigned them to Queues and have tried to give permissions to allow them ‘modify group membership roster’ but still no luck.

I’m questioning my need for an entire Admin subgroup; whether users can be comingled with the Users subgroup. I’m questioning whether a Role is a preferred way to manage these privileges.

Either way, I’m unable to log into RT with this user account and have access to modifying group memberships.

Any advice/ideas?

If you (as SuperAdmin) go into the Admin->Global->Group Rights menu, put OrgA_admin into the Add Group text field and then select the Rights for Administrators tab, you should be able to check the Show Admin menu option (aka ShowConfigTab, then click Save changes. Next in Admin->Groups select OrgA_users. Remove the Modify group membership roster/AdminGroupMembership from Everyone, privileged and unprivileged.

Now Put OrgA_admin into the Add group text box and then check the Modify group membership roster/AdminGroupMembership in the Rights for administrators tab for them. You’ll also need to give View Group (aka SeeGroup) rights to them in the Rights for staff tab. Save the changes.

Now members of the OrgA_admin group will see the Admin menu, and they can select Groups from it. It should only show them groups they have View Group (aka SeeGroup) rights for, and only let them add users to the group they haveModify group membership roster (aka AdminGroupMembership) rights for. So in this case orgA_users. The admin menu will show them other options as well, but they won’t have permissions to do much (if anything) with them.

This is great - thank you! This is very close to what I’m after…
I see that many Admin functions are not allowed, but is there a way to disallow them from
viewing or modifying User Rights/User Rights?

This is so good - if you were here’d I’d buy you a beer…

Hmm, dunno - on my test system where I tried that out yesterday they get “Permission denied” if they try to modify any user rights (via the group membership form), and the User element of the Admin menu isn’t shown.