Preventing group admins from accessing system-wide settings

My company has been using Passbolt for a couple of years, and we’re considering an upgrade but…

It looks like there are only 2 levels of access to Passbolt: ‘admin’ or ‘user’. Most of our users have ‘user’ access, but some people need to be able to create groups and assign group managers, so they have ‘admin’ access.

However, I’ve just realised that making a person an ‘admin’ gives rights to access and change system-wide settings, such as MFA, Single Sign-on etc. This is horrifying to me!

Have I misunderstood something? Is there a way to give people basic rights to administer groups, without letting them see or change really significant system-wide settings?

hey @schester welcome to the forum!

You are correct that right now there are only 2 levels for users. The admins and the regular users.

Generally the approach to this problem would be an admin creates the groups and assigns a regular user as the group manager, the group manager would then have the ability to add and remove users from the group but not have access to the other admin settings.

Alternatively if you have AD/LDAP set up this can be used for group management in the Pro version

@schester Something related to this was posted here, regarding the idea of a new feature to handle app configuration authorizations.