I'm using right bundles to limit what tenant admins are allowed to do: one of the things I would like to disable is the creation of new users and groups, since we are federating all the tenants with a saml idp that should be under control of the provider and we only want to authorize users throught the idp. I could not find what right actually disables the user creation from the tenant portal (administration/Access Control/Users/new)
Hello! For standard cloud users (we do not use saml) I've just disabled all in Access control - Organization - Manage. Any user with this custom role can see list of other users, but can't do anything with them or create a new one.
Also, I think it's "Manage the System Organization settings" right.