Share your product feedback

Add a new idea Subscribe
Status Future consideration
Categories Account settings
Created by David I.
Created on Feb 2, 2023

RELATED IDEAS

Manage Users admins shouldn't be allowed to change the admin roles for themselves or other users

People in our organization are given the Manage Users admin role in order to manage the licenses associated to paid seats. However, the Manage Users admins are able to assign additional administrative privileges to themselves & other users. Among concerns, the most immediate issue is that users can be given the ability to add/change/remove customizations that affect other workspaces. Because the alternative is business process that is costly to maintain, it would be beneficial for Manage Users admins to not be able to assign/modify administrative privileges.

  • Attach files
  • Abhinav Bansal
    Jul 4, 2025

    We utilize Paid Seat Groups for our large organization, but currently face challenges with delegated user management during team onboarding and offboarding processes.

    Current Issue: We created a Custom Role to allow designated users to assign paid seats, but this role also grants the ability to modify user permissions, including elevating access levels. This creates a significant security risk and complicates user governance.

    Proposed Solutions:

    Option 1: Dedicated Paid Seat Group UI A dedicated UI interface that allows specific users to manage only their designated Paid Seat Group, enabling:

    • Safe delegation of seat assignment/revocation to unit custodians

    • Elimination of unintended permission escalation risks

    • Streamlined user management for large organizations with multiple teams

    Option 2: Enhanced Custom Role Granularity Expand Custom Role capabilities to include a standalone "Paid Seat Group Management" permission that operates independently of other user management functions. This would allow administrators to:

    • Create roles focused solely on seat assignment/revocation

    • Maintain existing Custom Role flexibility while removing security risks

    • Delegate seat management without granting broader user permission modification capabilities

    Both solutions would provide the granular control needed to improve security and operational efficiency for organizations requiring distributed user management responsibilities.

    Reply
  • David I.
    Feb 6, 2023

    We do use paid seat groups. Part of the reason we have to use the "Manage users" permission is a result of paid seat group owners not being able to remove users from their groups- so the group owners end up assigning licensed roles to users without picking a paid seat group. Our primary admin group ends up with additional burden either way.

    Reply
  • Admin
    Kelly Sebes
    Feb 3, 2023

    Thanks for reaching out. Have you considered using paid seat groups instead of granting the "Manage users" permission? Please reach out to support@aha.io and we will be happy to help see if that would meet your needs.

    Reply
  • David I.
    Feb 3, 2023

    To clarify, this applies to a custom role that only has access to the "Billing > Users" permissions.
    If the problem can be resolved a different way than I have suggested, then we'll take it!

    Reply
Idea management by Aha!
Create your own ideas portal to crowdsource feedback
© 2025 Aha! Labs Inc.All rights reserved