Hello all
I’d like to grant a specific user (or group such as DepartmentManager, other than the built-in camunda-admin), the rights to create new users within a specific group, ie the department. How do I achieve that in Admin?
If not possible in Admin, can this be accomplished by making use of LDAP?
Hi,
the user would need the following permissions:
Application - ACCESS to Admin
Users - CREATE and READ on all users (*)
Group - READ on to the Group you want to manage (this should be given if the user is part of the group)
Group Membership - CREATE on the ID of the group you want to manage
This should be the minimum required Authorizations to achieve that.
Let me know if you have any questions 
Thanks so much for your reply @martin.stamm
This certainly works, thanks so much.
However I’d like the DepartmentManager to have access to only the users in his/her department, not READ * . So I tried to break your 2nd authorization ( Users - CREATE and READ on all users (*) ) into two separate authorizations :
1 one for the CREATE *
2 and the other for READ only the users in the department.
However I fail to get the second authorization to work.
Partly because only a UserID, not a GroupID, is allowed in the Resource ID.
Which authorizations do I need so the DepartmentManager can only see users within that department?
Hi @eugene,
I’m not sure if you can restrict a user to only read users in a specific group.
Please correct me if I’m wrong here:
As I understand, you want to create a new user and add them to the Department. Restricting visibility this way would not work in this case. Because a newly created user has no Group, the Department Head will not be able to see them afterwards and can’t add them to the department.
Yes, you’re perfectly right. I also bumped my head against that.
So, if I cannot assign each new user, created by the DepartmentManager, to a default DepartmentUsers group in Admin, can I achieve it any other way? Maybe with a BPMN “Create User” process, or an Admin plugin? I can then programmatically assign each user to the default DepartmentUsers group and grant the DepartmentManager a READ permission on each UserID created.
What are your thoughts, and do you have any other alternatives? Much appreciated.
Hey @eugene,
A simple BPMN process can solve this issue. Using the IdentityService in a service Task, you can create a new user and add it to the group.
Alternatively, you can also create an admin plugin and use the REST API to make the adjustments.
I think the BPMN process is easier to implement but not as transparent to the Manager. In the end, its up to you and whether you prefer to write Java or JavaScript 