Giving the "Manage Users" permission is too powerful in some scenarios. Here is how we would like to be able to define more fine grained permissions:
1. Create an Organization Role, and Define Permissions:
Users and Organizations -> General Permissions -> Access in Control Panel
Users and Organizations -> General Permissions -> View
Users and Organizations -> User -> Delete
Users and Organizations -> User -> Update
Users and Organizations -> User -> View
Users and Organizations -> Organization -> View
Users and Organizations -> Organization -> View Members (not sure if necessary)
2. Create an Organization
3. Create two users and assign them to this Organization
(note: In the current master, I couldn't make the assignment from the users' menu, so I had to use the Organization's assign members feature)
4. Assign your Organization Role to one of your users
5. Log in with this user
Issue 1: You cannot access the Control Panel with this user, even though you can see the Organization Role's permissions summary that it has "Portal: Go to Control Panel" rights.
6. Create a Regular Role to workaround Issue 1, Define Permissions:
Control Panel -> General Permissions -> Go to Control Panel
7. Assign this Regular Role to your user
8. Log in with this user
9. Now you will see the Control Panel button, click on it
Issue 2: You will get the following message: "You do not have permission to access any control panel applications. Please contact your administrator." Even though it has multiple Control Panel permissions.
10. Modify your Organization Role to workaround Issue 2, Define Permission in addition:
Users and Organizations -> Organization -> Manage Users
11. Log in again with your user
12. Go to Control Panel, choose your Organization, inspect the actions menu for the Organization members
Issue 3: You are able to impersonate the additional user, even though we didn't set that permission to the Organization Role, so the "Manage Users" gave too much.
Expected Result: The permissions defined in step 1 should be enough to access and edit Ogranization users.
1. The "Access in Control Panel" permission for Organizations should be enough for Issue 1 and Issue 2.
2. Since we can set "Delete", "Impersonate", "Permissions", "Update", "View" permissions separately for users, it is expected to be able to use one without the other.
ee-6.2.x@95315c9 - reproduced
master@2e84633 - reproduced