...
This question exposes gaps in the groups manager channel, which should have permissions covering operations on groups and their descendants. However, you could also get the desired behavior with a custom permissions policy, and this might buy you some time to work out a more viable solution that involves changes to the groups and permissions manager channels. The policy would perform a special evaluation on permissions that are owned by the groups manager channel:
...
| Code Block |
|---|
target = "group.local.123*" |
Targets A target in one of these permissions would be known to refer to a group and its descendants. Permissions like these would have to be maintained outside of the permissions manager. This is a very brittle approach, but it does work, and perhaps someone can think through and generalize it, maybe introducing a configurable wildcard syntax and list of permission owners. A follow-up step would be to make the permissions manager channel able to write and evaluate such permissions.
...