Restricting User Administration via Subscription Hub (Preventing Self-Privilege Escalation)

CarolinDjeri · 2025-07-24T12:08:39+00:00

There was an error rendering this rich post.

Hi everyone,

We're currently working on establishing a clean governance setup for our Board environment and have a specific use case within the Subscription Hub:

We want to allow a user to manage other users (e.g. assign them to groups or roles) – but without being able to assign higher privileges to themselves.

Our objectives:

Delegate user administration to a defined person or group
Prevent self-assignment of elevated roles, licenses or permissions
Ensure separation of duties and avoid circumvention of permission structures

Our questions:

Is there a native way within Subscription Hub to restrict user permissions this granularly?
Can group/role assignments be subject to a four-eyes principle or approval workflow?
Is it technically possible to restrict access to a user's own role or assignment configuration?

We’d highly appreciate any best practices or technical suggestions on how to implement this setup.

Thanks a lot in advance!

Best regards,

Carolin

Find more posts tagged with

Administration

Accepted answers

All comments

Helmut Heimann

Hi @CarolinDjeri ,

unfortunately, that is not possible natively—each user having administrative rights to change roles and/or profiles can ultimately change their own permissions.

You might want to use a different approach involving the SCIM interface. You can find more information here in our manual

https://help.board.com/docs/scim-api-endpoints

Best,
Helmut