The user admin role is for provisioning users in aPriori Professional. Therefore, user admins must be able to

• Create end users.

• Update end users.

• Remove end users.

User admins cannot open or edit any other features including:

• LDAP connections

• Roles

• License Modules

• Deployment – Default

• User Defined Attributes

• Dialog Views

• Permissions

• System Variables

• Composites Mapping Files

User admins can see admin users, but they cannot modify admin users.

Although user admins have limited abilities to modify groups, they cannot:

• Create groups.

• Change the name of admin groups or modify other properties of admin groups.

• Add users to system admin groups, VPE admins groups, or configured admin groups.

• Add or remove permissions that are associated to any group.

• Add, update, or delete group attributes.

Convert the role requirements into permission requirements. Group the permission requirements according to the actions that they grant or deny the right to do. For example, based on the User Admins role requirements, permissions for the group must:

• Deny the right to Update any admin groups including any configured admins group. (1)

• Grant the right to Open and Edit:

o Group Membership (2)

o Groups (3)

o Users (4)

Therefore, four permissions (1, 2, 3, and 4) are needed for the User Admins group.