Goal: Allow editing membership to specific groups based on role. Currently the ability to edit group membership is an all or nothing privilege. Meaning if you wish for a user/role to edit the membership of one or more groups, you have to give them the ability to edit the membership of all groups.
The major problem here is that roles are group based and by allowing a user to manage group membership, they can then elevate their own privileges in the system to that of a ream or even system administrator by simply moving their own or someone else's account to a group with greater privileges. In doing so a user can manipulate transcripts and much more.
A lesser problem is that it is inconvenient from a management perspective. It would be very convenient to allow for the creation of a group that could help onboard users into the system but also be able to assign those users to specific groups configured to autoenroll.
Two suggestions that could help accomplish the goal above would be:
Create a 'Groups' realm section that allows you to select which groups a role can edit settings and membership for. This would function similarly to the User and Course realms where you can set what users and courses a role can edit.
Allow system administrators to flag groups as protected or as other system groups. Then break down out the group permissions in a role's permission tab to allow read or read write access to groups, system groups, and protected groups. The functionality to distinguish group types already exists as evidenced by system groups, so simply a means to set permissions for them separately while allowing us to flag groups as a system group would be ideal.
Please feel free to reach out for further info.
Guest
