How to allow membership changes only for groups located in the Admin Unit scope and Additional scopes

Summary: This article contains step-by-step instructions on how to allow membership changes only for groups located in the Admin Unit scope and Additional scopes.

Applies to: 7.2.x and later

ID: KB20210205-2

---

Configuration:

In Cayosoft Administrator, when you delegate access to one of the following web actions, the delegated user would be able to remove any group from the Member Of list:

1. User Properties web action.
2. Add to Groups web action.
3. Compare Membership web action (Active Directory).

If you have a set of Active Directory groups that are managed centrally and you do not want to delegate Admin Unit administrators permission to remove accounts from these groups, you can restrict that access further by changing the Allow membership changes for these groups setting on these web actions. In this case, delegated administrators will be able to change membership only for groups located in the Admin Units scope:

1. In Admin Console navigate to User Properties, Compare Membership, or Add to Groups web actions.
2. Open More Options section.
3. Set the Allow membership changes for these groups to Only groups located in the Admin Unit scope and Additional Scopes. You might also need to set the Additional Scopes setting on the AD Users web query. See the AD Users web query article for details.
4. If you use Compare Membership web action, you should also set Allow to edit membership to Yes. 
5. Save Changes.