bonnedav wrote:You need to make sure that if a perm is removed from a sub-group manager they can't add it to another role.
Looks like "manage_roles" needs to be split in 2: "manage_roles" and "assign_roles", then one could remove the "manage_roles" from them to prohibit adjusting of roles.
bonnedav wrote:Also, this system works to let the top level manager edit sub group perms, but how would a level 2 manager remove a perm from the manager of one of there level 3 groups?
Same way? Of they created a subgroup they had a right to do so. Or using the top org account.
bonnedav wrote:Also, i think you should re-split "manage_settings" into "manage_basic_settings" and "manage_advanced_settings" as well as "manage_features". basic settings would be things like "date format", "time format" ext... Advanced settings would be things like "name", "bcc" ext...
I'll see if I can roll back the "manage_basic_settings" and "manage_advanced_settings" insted of one "manage_settings" although these names don't explain what they manage.