We would like to see the ability for Group Admins to be User Admins WITHOUT being required to also give them access to DELETE users.
Since Workfront allows users with logged hours to be deleted, we have already run into an issue where a user with time billed was deleted. And now we have no way to tell who those hours belong to, which has caused some probably with our revenue reporting.
In order to avoid this in the future -- we removed the ability for our group admins to delete users.
Unfortunately, when we took away the ability to delete users -- it then removed the User Admin access rights, as Create and Delete are both required to give that functionality.
Now our group admins are unable to even add users, as they get an error stating they do not have access to the job role. They are also unable to edit the federation ID -- which we require as we have SSO enabled (as I assume most other enterprise level users do as well).
We don't think you should be able to have access to DELETE users in order to successfully be able to add users and update federation id's.
I suspect other large enterprise companies, especially those whose revenue recognition is tied to hours and users, will run into this issue where a user is accidentally deleted and then they have big headaches.
If you have, please vote!
If you have not already, please take this as a WARNING and a PLEA for help. :)
------------------------------------------------------------------------------------------------------
Below is the feedback we received from WF support about both of these:
Job Role:
The product manager over this area has let me know that to be able to assign a user a job role which you do not have yourself, you must either be a system administrator or a plan license user with the "User Admin (All Users)" access in your access level.
Federation ID:
The ability to delete users is not directly tied to the ability to edit the Federation ID. The ability to edit the Federation ID comes from the "User Admin (All Users)" checkbox in the Users section of the Access Level. Even if you have "User Admin (Group Users)", "Create", and "Delete" all checked, you cannot edit the Federation ID. The problem for you guys is that "Create" and "Delete" are mandatory with "User Admin (All Users)".