I've been doing some test to find out the minimum permissions required to create users in Business Units.

For this exercise, I have two roles:

  • A modified version of System Customiser Role.
    • Sort of a minimum role for users to be able to log-in.
    • I removed all that has to do with User, User Settings and Business Units from this role.
  • A role for testing User and BU privileges
    • I combined privileges for User, User Settings and Business Units.

Here is what I came up with as the minimum requirements for creating a user:

A few explanations:

  • Business Unit - Read: If the user does not have read privileges for business units, the user will get a permission error as son as they click on the New button to create a user.
  • Business Unit - Append To: Without this privilege, the button to create a new user will not be seen.
  • User - Read: Without the ability to read users, you cannot do anything else, including create.
  • User - Create: For the main action I am trying to cater. As soon as the user is created, the record will be read-only because there is no Write permission.
  • User Settings: I noticed that unless user settings permissions are given, user creation will fail (insufficient permissions). I don't care for these at this point (I can fine-tune later).

Now, here is what is confusing me:

  • See how User has no Append privileges.
  • Yet, I can append the user to any business unit that I can read.
  • Even if I allow for Business Unit Read to be organization-wide (4/4), but the Append To is just to the local Unit (2/4) I can still create users in any Unit as long as I can read such Unit.

To sum up:

  • Business Unit: Append To: Is required to allow users to see the New user button.
  • But other than that, the person creating the user record will be able to create the user in any Business Unit that they can read.
  • As for User permissions, there seems to be no need for Append permissions.

This whole thing seems quite inconsistent to me. Thoughts?