It is becoming increasingly common for department managers to have the authority to grant and modify application access for their employees. However, there may be times when you need to restrict which employees are eligible to receive a specific permission.
This article explains how to use the "Can be given permission" feature to create a ruleset that defines which users can be granted a specific permission.
Procedure
-
Go to Access Control and select the appropriate group.
-
Click Edit on the group.
-
Find the permission you want to restrict in the list. In the "Can be given" column, click + Create.
-
Configure the ruleset to specify which users are eligible to receive this permission.
-
Click Save.
After configuration, the permissions will indicate that a rule is in place, as shown in the example below.
Warning: The person who assigns the permission must also be included in the ruleset for "Can be given permission". It is a security best practice that a user cannot assign permissions for which they do not qualify.