After applying the following permissions to an Organizational Unit, a delegated admin is still able to delete User or Group objects:
- Deny - Organizational Unit object - Delete Child Object - User object type
- Deny - User object - Delete
Additional deny permissions are required.
The following permissions are required:
To deny delete you need to apply the following permissions:
1. Delete - for the object
2. Delete tree - for the object
3. Delete child objects - for the parent container
The following screenshot shows an Access Template with deny Delete permissions for Users and Groups:
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center