We are trying to allow a user/group to create new users, but only as a member of certain groups. We have multiple "brand" super user groups. Each "brand" super user should only be allowed to add a new user to groups for their brand. With our current configuration, the group assignment works properly for existing users, but I am unable to create new users. The way we have the permissions set up under home is the following:
~/home - Allow Read
~/home/groups - Allow Read(applies to all child nodes as well)
~home/groups/e/everyone - Allow Read/Create/Modify/Delete/Read ACL/Edit ACL/Replicate - not sure if this is necessary, but added it since adding a user is not working and all users are members of the everyone group
~home/groups/t/testbrand-group - Allow Read/Create/Modify/Delete/Read ACL/Edit ACL/Replicate - this is test group that we want to be able to add other users to
At high level steps looks ok to me though you have give more permissions & should work. I am guessing you might have not logged in as "brand" super user . If you have logged in as "brand" super user validate the acl evaluation & is always bottom up. May be some other restriction blocking in creating a user.