The functionality behind my_organizations (eg. listing the orgs selectable in the UI context menu) requires users to be assigned to orgs. This makes creating roles, such as the Site Admin built-in behave strangely. I'd suggest that the following: + Remove my_organizations permission + Add a search type for Organization permissions (eg. view_organizations w/ User.current.my_organizations) + All access to orgs is handled through Organization permissions This would allow roles that span the entire install (eg. Site Admin, Site Auditor, etc.) to specify a role "view_organizations w/ unlimited". This user would not have to _belong_ to the orgs since, in fact, they are site managers not members. Note: All of the above should be applied similarly to my_locations, which I do not see as a permission anywhere currently.
Created from redmine issue http://projects.theforeman.org/issues/7878
Upstream bug component is Users & Roles