The Privilege Escalation error will appear when the user inviting a user, or user making changes to Usergroups makes use of a Classic Role, or Role Document that contains less privileges than that of the Classic Role, or Role Document tied to the Usergroup the user is attempting to invite or add the user to.
e.g. If User X makes use of a Custom Role Document that has the Setup -> SSO -> Create SSO permission disabled and attempts to add a User to a Usergroup that makes use of the Administrator Role Document they would find this error is thrown.
This is due to the Administrator Role Document having a higher level of privilege as the Setup -> SSO -> Create SSO permission is enabled within the Administrator Role Document.
Partners
Partner Users may also encounter this same behaviour yet find a different error message is returned e.g. under Setup -> Admin -> Users a banner - "An error occurred while inviting <your users email address>. Please try again".
Please ensure that the Role the inviting user (Partner User) is assigned to within the Partner tenant has at a minimum:
- The permissions enabled under - Standard User Role - https://apps.cloudhealthtech.com/roles/2 also enabled within their current role. The Partner Users role can have greater permissions also but must implement all Standard User permissions.
- The same permissions that are enabled within the target Role/Role Document you are attempting to invite the user to. The Partner Users role can have greater permissions also but must implement all permissions that are enabled within the target Role or Role Document.
The Standard User permissions are required as a User is also assigned to the "Standard User" Classic role when invited to a FlexOrg Only tenant.
If the Partner Users Role has permissions disabled that are enabled within the "Standard User" Classic Role this will block the assignment of the user to the Standard User Classic Role and will result in the "An error occurred while inviting <your users email address>. Please try again" error being displayed.
To resolve the error enable any permissions enabled under - https://apps.cloudhealthtech.com/roles/2 that aren't enabled within the Partner Users role.
If the Partner Users Role has permissions disabled that are enabled within the target Role/Role Document you will also find the "An error occurred while inviting <your users email address>. Please try again" banner returned.
The platform will block the assignment to the Role/Role Document as it would result in the user being invited having more permissions than the user performing the invite.
To resolve the error and allow the Partner to invite update the Partner Users Role with any permissions that are enabled within the target Role/Role Document for the new user that aren't enabled within the Partner Users Role currently.