It sounds like you're looking for an admin who can be site-scoped: An administrator who is "god" in their site, but can't see other sites. God-like powers would include adding / deleting users.
Unfortunately, we're not quite there yet. In my perfect world, we'd be able to give you a site-specific Content Admin with the ability to add users. Unfortunately, as things stand right this second, we can:
- Allow you to add someone as a Content Admin on a specific site - they can only see / admin that site
- Allow Content Admin to do anything one needs to an existing user (add/remove to/from groups, make an existing user a publisher, etc.)
- Allow Content Admin to create new groups, projects, etc. and secure same
- Give that Content Admin the ability to add/delete users
You'll notice that the (new) option in the Server maintenance page actually becomes disabled once you put 7 into Multi-tenant mode by adding a second site:
Content Administrator Privileges
Allow content administrators to add/remove users.
When Server is in "single tenant" mode you do have the option of leaning on this setting. Not so in multi-tenant land (yet - we know it's a problem for customers). To add users, one MUST be a System Administrator while in multi-tenant mode.
For now, a decent workaround is to lean on AD groups *if* you're leveraging AD - a System Administrator will add the appropriate AD groups to different sites, and then set up a mechanism to sync those groups daily. As new users are provisioned into appropriate site-scoped AD groups, they'll magically show up in the site after your TabCmd SyncGroups. Now, that somewhat emasculated Content Admin can take over and do whatever needs to be done.
Hope this clears things up?
I'm not a religious man - there simply isn't enough data to support the concept, but I would very much like god-like powers for admin users within a site.
Should I add a feature request, or is it on the list.
It is on the list, but it can't hurt to make a request so those evangelizing it have more proof points
I have noticed that site content admins can import AD groups, just not individual users. Weird...
You can actually use this (by design) behavior to your benefit - It's a decent workaround to the problem Tom is having.
I want to utilize content administrators, but we don't want them to add/delete AD groups either. As things stand, they could potentially import any AD groups they want. Do you know how I (or the AD admin) would restrict this?
Thanks in advance,