When creating sub-groups of the system-defined All Administrators group, mimic the structure that you have created for your users. For example, if you have created groups for your users based on regions such as USA, UK, and China, do the same for your administrators:

(The Super-Users group is automatically created by aPriori during installation.)

Only allow members of the Super Users group to CREATE, UPDATE, or DELETE permissions.

By default, only members of the Super-Users group have strongGrant permission to associate permissions. Other administrators can associate permissions, but only in their regions (this is controlled by Update permissions to the groups that represent regions).

Try to use parameterized permissions; do not use permission-specific rules by specifying the name of the permission. However, if you must use permission-specific rules then you should write an Associate (Add to Group) rule for every permission (i.e. that says who can associate it).

The following is a summary of the requirements for various aspects of Access Control of Access Control:

To create a Group or Permission: you need a CREATE permission defined on the Group and Permission resource types. (If you create a subgroup you will need an UPDATE permission on the parent group.)

To Delete a Group or Permission: you need a DELETE permission defined on the Group and Permission resource types.

To Update a Group: you need an UPDATE permission on the Group resource type.

Updating a group includes:

To Update a Permission: you need:

Updating a Permission includes updating any of its attributes (name, rule, resource, action, and so on).

To Associate (Add) a Permission to a Group: you need ASSOCIATE permission on the Permission itself, and UPDATE permission on the Group.