>>We need to allow him only to deploying machines, and manage machines deployed by users under his business group.
These come from Entitlements to Services, Catalog Items, and Resource Actions.
>>Is there a way where I can limit the business group admin from creating blueprints ?
I think you mean the Group Manager Role?
User, Support User, and Group Manager provide access to see machines in the Business Group.
- User can only see their machines.
- Support User can see all machines.
- Group Manager can see all machines.
Entitlement determines provisioning and actions.
Business Group Manager gives a lot of other permissions outside of just interacting with published catalog items and deployed machines. User doesn't allow for seeing other machines in the business group.
So for us... we just went with Support User across the board for ACCESS to the business group and divided our community into Entitlement roles (because you can have multiple entitlements per business group) and each role has different entitlements. Like some can provision with catalog items... and some can only work with provisioned machines.
There are others out there that are using a very different use case where business groups are handed over fully to another group... and they can build up their own blueprints. That wasn't our use case for now... and it sounds like it also isn't your use case.
I would suggest you look at putting all your AD usergroups, or AD users, in the Support Users group. I think it will do what you need.
