While setting up our first delegated role administrator, we came across some items to keep an eye out for. We created a new role and assigned the Role Owner as the person we wanted to manage that role. This is non-administrator in the system, but they need to be able to add anybody to the role as needed. The built-in Role Owner policy allows them to see the role, however two issues appeared. First the role owner was not able to see the members of the role, in fact an error came up in the UI. Second, they could click on the add button but no results would ever come back in the user select box. (FYI: This search box is strange in that it is searching only on Display Name, but it does accept wild cards. Since our display names have middle initials, I have to search for Eric*Fisher to find me if I didn't know the MI.)
We fixed these by creating a new role called ROLE_OWNER, a new authorization policy for ROLE_OWNERS that granted them Search User and View User Details (Just the default attributes), and added the role owner to this group. This will fix the issue with the role owner not being able to search in the box for new users to add to the group.
The other problem was more complicated and is related to the XL.EnableOrgPermissionCheck which is set to TRUE and enables 9.x style Org Permission checking. As some of you 9.x'ers may recall you have to add Administrative Roles to the Organization to allow a Role to manage users in that Org. So we went to our root Organization and granted the ROLE_OWNER role, READ permissions on that Org. Problem solved.
