I have a requirement to have “tenant admins” who can administer users within their tenant.
I was able to make it so that they can create users and add them only to groups of their tenant by giving them READ,UPDATE privileges solely on the groups of the same tenant:
But they can still delete users which do not belong to their tenant and in general, work with those accounts. Restricting access privileges for every single user would probably be possible, but that can easily be forgotten. Can I prevent a “tenant-admin” from working with users who do not belong to the same tenant? If there is no such authorization setting, is there a plugin hook where I could prevent the access to a user from a different tenant, sth like processEngineConfiguration.setCustomPreDeployers for deployments?