Expanding custom permissions

Feature name

Expanding the Custom permissions

I am currently working on a multistep enrollment plan for our IT department (consists of ~150 users spread across 20+ teams) and the entire company later on (1000+ users). My plan is to setup a collection for each team and use Azure dynamic groups to assign users with “can edit” access to the specific collections. Furthermore I would like have 1-2 people from each team to be able to “manage” their own collection, meaning giving them access to create new nested subcollections and fully manage them themselves, but not be able to manage the toplevel of their collection. That way I place the responsibility of everything within their collection in that team, while the admins manage everything above the team collection.

Something like this:


T1_User1 (Team1 manager)
T1_User2 (Team1 User)
T1_User3 (Team1 User)

T2_User1 (Team2 manager)
T2_User2 (Team2 User)
T2_User3 (Team2 User)

Company (Managed by: Admin1)
Company/IT (Managed by: Admin1)
Company/IT/Team1 (Managed by: Admin1 and co-managed by T1_User1)
Company/IT/Team1/XXX (Misc. collections created by T1_User1) (Managed by: T1_User1)
Company/IT/Team2 (Managed by: Admin1 and co-managed by T2_User1)
Company/IT/Team2/XXX (Misc. collections created by T2_User1) (Managed by: T2_User1)

I have found several other posts about changes to how permissions are set, eg. automatically assigning access to nested subcollections etc, which would be great as well. However I couldn’t find a post that was spot on to what I am hoping for.

Feature function

  • What will this feature do differently?
    — Give us the ability to assign a manager to a collection, and have that manager only be able to manage subcollections within the set collection.

  • What benefits will this feature bring?
    — It will save the admins and users a lot time, because the team manager can create/delete/manage their own subcollections without having to wait for the admins. Also it supports the agile mindset of empowering the teams to take responsibility.

  • Remember to add a tag for each client application that will be affected
    — It will effect all apps, but will be handled within the web-vault.

I hope this makes sense.

Best regards,