In Liferay 7.0, we would like to create a Role that can unlock users but not deactivate them.
Currently,when creating a Role that can unlock Locked user accounts, it also gave more permissions to the user than we wanted - for example the user is able to deactivate users as well. Is it possible to split out these permissions?
Steps to Reproduce:
1. Start up a 7.0 bundle.
2. Create a new Role. Go to Control Panel>Users>Roles. Click + button to create a Regular Role titled "Unlock Role" and click Save.
3. Return to list of Roles, find new "Unlock Role" and click three dots > Define Permissions.
Click Control Panel>User>Users and Organizations.
Under General Permissions, check "Access in Control Panel" Action
Under Resource Permissions>Users>Actions, select
(These seem to be the only actions needed to be able to unlock a Locked user account.)
4. Assign new "Unlock Role" to desired user.
5. Sign in as user with new "Unlock Role" and access Control Panel>User>Users and Organizations tab, click on account of locked user.
You will see a yellow box with words "This user account has been locked due to excessive failed login attempts."
6. Click Unlock button.
Result: Locked out User is unlocked.
However, user with new "Unlock Role" can also deactivate user accounts. This is undesirable. Is it possible to split these permissions?
Results of Testing:
Expected Results: Able to create Role that can unlock users but not deactivate them.
Actual Results: Able to create Role that can unlock users but not deactivate them.