Fine-tuning user group permissions allows you to reconsider who inside your organization can edit certain groups. For example, if your organization has a user group for company executives, you might not want lower-level administrators to have management permissions for that user group.
Use the Permissions page to control who can manage certain user groups and who can assign profiles, compliance policies, and applications to user groups. Important logic restrictions are highlighted in red.
- Navigate to Accounts > User Groups > List View.
- Select the Edit icon of an existing user group row.
- Select the Permissions tab, then select Add.
- Select the Organization Group you want to define permissions for.
Select the Permissions you want to enable.
- Manage Group (Edit/Delete) – Activate the ability to edit and delete user groups.
- Manage Users Within Group and Allow Enrollment – Manage users within the user group and to allow a device enrollment in the organization group. This setting can only be enabled when Manage Group (Edit/Delete) is also enabled. If Manage Group (Edit/Delete) is disabled, then this setting is also disabled.
- Use Group For Assignment – Use the group to assign security policies and enterprise resources to devices. This setting can only be changed if Manage Group (Edit/Delete) is disabled. If Manage Group (Edit/Delete) is enabled, then this setting becomes locked and uneditable.
Select the Scope of these permissions, that is, which groups of administrators are allowed to manage or use this user group. Only one of the following options may be active.
- Administrator Only – The permissions affect only those administrators at the parent organization group.
- All Administrators at or below this Organization Group – The permissions affect the administrators in the organization group and all administrators in all child organization groups underneath.
- Select Save.