We have set up Active Directory Integration but are kind of struggling with the creation of user groups.
We would like all of the employees to have read-only access. But a separate group of those employees (system engineer) to have read/write access.
So we set up 2 user groups, one with ALL the employees(this includes the system engineers) and one with only the system engineers. With the 'new user type' set to read-only and read/write respectively.
The problem is that when a system engineer logs in he only gets the read-only rights until we delete the 'employees' group. I feel that this should be the other way round, that it should check for the highest privileges the account has, not the lowest.
Is there no other way around this next to creating a group in the Active Directory with all users excluding the system engineers?