I have the following use case related to user administration:
We have a separate user administration department that is responsible for creating users and assigning the appropriate authorisations
User X of the user administration department should be able to create end users and assign the end user to the appropriate usergroups.
User X of the user administration should NOT be able to assign System Administration roles and Global content Administration roles and User Administrato roles to end-users
User X of the user administration should NOT be able to assign System Administration roles and Global content Administration roles to users with User administration roles
Only the system administrator should be able to assign User administration roles to users
When I assign the User Administration role to user X of the user administration department this user will be able to assign other users and his own user the System administration, the Global content Administration role and also the User Administration role to end users
The consequence will be that it is not possible to separate the developments roles , the user administration roles and the end user roles
This is causing segregation of duties conflicts.
Looking forward for any suggestions / solutions