In order to grant users permissions on a securable, roles must be assigned to that user on that securable (i.e. a role assignment must be created). For existing users roles can be directly assigned and role assignments can be removed. When inviting users roles can be assigned together with the invitation. In order to remove permissions a user has on a securable role assignments must be deleted.
Following checks are performed when creating or deleting role assignments:
•User U1 can only assign a role R to user U2 on the system securable if U1 is granted all the permissions (customer permissions and system permissions) contained in R on the system securable and if U1 is granted the EDIT_USERS system permission.
•User U1 can only delete a role assignment with role R and user U2 on the system securable if U1 is granted all the permissions (customer permissions and system permissions) on the system securable and if U1 is granted the EDIT_USERS system permission
•User U1 can only assign a role R to user U2 on customer C if U1 is effectively granted all the customer permissions contained in R on C and if U1 is effectively granted the EDIT_USER_ASSIGNMENTS permission on C.
•User U1 can only delete a role assignment with role R, user U2 and customer C if U1 is effectively granted all the customer permissions contained in R on C and if U1 is effectively granted the EDIT_USER_ASSIGNMENTS permission on C.
