Additive user management for project managers
We import ldap groups and assign them to projects which represents our enterpise departments as we have also ldap groups for them. This departments groups always have a department role, so that people in same department have special and more rights in their department and the children projects wwhich represent the projects. Here this groups also have the department role. Furthermore we only use private projetcs and have groups from other departments joining each other as reporter role. This whole groups > role >department/project setting is done by admins and shouldn't be chnaged by projetc managers, means the rights must stay even if project manager has right to manage users in his project.
At the moment if a user has manage project users rights he can remove set groups/users set in his project by admin before. That right shall be able to deactivate or the other way round a project manager shall be only able to add additional users and user rights for admin side added users which act als additive rights. This approach could e.g be needed to extend product project with external ressoucres (other departments or outsourced people)