Prevent roles from managing other roles while still making them visible?
Hi! I’m struggling with this scenario: We have a couple of user roles, say: Manager, Backoffice, Callcenter. Manager can manage all users. Backoffice can only manage Callcenter users. Callcenter can only manage themselves. The problem is, that we need to assign tickets to eachother. So a Callcenter user has to assign a ticket to a Manager user. But the problem is, that a Callcenter (and Backoffice) user cannot ‘see’ the users with other roles from a select view to assign a ticket to… When I set the ticks that allows the Callcenter and Backoffice user to ‘manage’ users with other roles, they are visible again. But this allows these users to also ‘edit’ users with those ‘higher’ roles… Is there a solution for both limiting edit permissions and permitting all users to ‘see’ all users? Cheers. Edit: April 1st, 2021 – Added picture
I think you made a mistake in your domain model. Where do you store the employee data? Because selecting an employee should have nothing to do with the account that is attached to that employee.
You can solve this by adding an new entity access rule on Administration.Account. By default, only admins can see all other names, and users can only see their own names, as can be seen here:
You want to add an extra row here with read access for all users without Xpath restriction for other users:
Please note that this will result in all users being able to see ALL other's full names. In order to restrict this you could add some XPath (but not too restricting).