1. What is the nature and description of the request?   This is for MUFG.  They have had auditors request that there be a separate role for managing the users and roles within AAP.  
2. Why does the customer need this? (List the business requirements here).  This is a requirement from their auditors.  They can get a temporary ok, but it comes up in each of the audits
3. How would you like to achieve this? (List the functional requirements here). There needs to be another default role with the installed product that will handle this function.  I will provide more details below
4. List any affected known dependencies: Doc, UI etc..  This will require changes to the documentation, probably not to the UI, but to the basic function of the product
5. Github Link if any.   None.

From the customer:

Hi Ryan, Tim,

As I mentioned in the meeting last week there is a security risk finding for lack of segregation of duty against Ansible Automation Platform as following:

“Lack of segregation of access administration - as part of BAU IAM has reviewed the SAP for system <ANT> and have identified security administration access has not been segregated <Business user has super admin role including security administration access>.”

To close the finding thus ensure continue operation of AAP in the bank, please provide official response for the following:

1. Provide the segregation of duties function identified by the finding.
2. If #1 can not be achieved, provide explanation so we can document and request for exception.

Regards,

James

My outline:
James,
 
As discussed, in the AAP product, for local accounts, there is not a role that only has the ability to only manage User attributes like permissions, passwords, groups etc.
 
The admin role has that ability, but it isn't just limited to those items.
 
Most of our customers use the enterprise identity provider for this functionality.  The ability to establish local users within AAP is commonly just used for demo's and lab environments.  Standard practice is to integrate and utilize the enterprise identity provider for managing the users, groups, permissions and controls.  This allows the enterprise to easily manage these functions from a central service versus having to manage users on the AAP endpoint. AAP is able to adopt the users and permissions forwarded from the Identity Provider.  For instance, if someone terminates their employment, the account is removed from the central identity provider, which also removes it from AAP.
 
We have requested an enhancement to the product that will provide this ability.  The number of this RFE will be forwarded when it is provided.
 
 
Let me know if there are questions?