Super Admin Group

is there any way to give a group the manage membership permission for an org, but prohibit them from managing the membership of the admin group? I want the admin group to only be managed by a super-admin group. The super admin group would be able to manage the admin list as well as some additional things like network ingress/egress, etc. (they’re given the enrollment admin role essentially).
basically if there’s some way to configure a “default” group that automatically has manage membership permissions unless its explicitly ungranted

No, there’s no way to grant manage on “all groups except x” for foundry managed groups. However, groups that are managed by the Identity Provider (such as Microsoft Entra or Okta) are not affected by this permission, so you could create the super admin group in the identity provider and manage membership there rather than in Foundry.

1 Like