Hello,

I'm currently trying to create a rule where a newly created admin role can create and manage streams and users. This is the resource filter from the rule I copied from the SecurityAdmin rules with some resources removed.

Stream_*,App*,User*,SystemRule_*,CustomProperty*,ContentLibrary_*

I then place this condition:

user.roles="TEST_DepartmentAdmin"

This condition tells me that if the role of the user is that of TEST_DepartmentAdmin, then grant him access to all of the above. It works as intended because I can create or edit rules that are part of a particular stream.

However, when I add this:

((user.roles="TEST_DepartmentAdmin" and resource.@TEST_Department=user.@TEST_Department))

It breaks the rule and the privileges of the admin are lost. For example, I was able to create and edit rules earlier for a particular stream, but when I added that second part, the admin was no longer able to add or edit rules citing lack of privileges for the user.

Is there a fix for what I'm trying to do? Or am I doing something incorrectly?

Thank you.

EDIT: A note is that I'm trying to make it such that that admin (which is the administrator for a particular stream and its sub streams) is only allowed to manage the streams he is the admin of. Therefore, he should only be able to create and edit the rules of the stream he is the admin of.