This article covers the permissions that control who may add and remove members in a group — that is, who may change which users are part of a role.
You assign these permissions in Financial under Security → Groups → select a group → Permissions (set Allow/Deny per permission). They apply per organizational unit — that is, only for memberships in the store/department where they are granted.
Allows adding a user as a member of a group within the organizational unit.
If the permission is denied, the attempt to update the membership is rejected — the user cannot be added to the group.
The permission makes it possible to delegate membership management to e.g. a store manager, without them having to be a full administrator.
Allows removing a user from a group within the organizational unit.
If the permission is denied, the user cannot be removed from the group.
The permissions apply per organizational unit. An employee may have the right to administer memberships in one store without having it in another.
Add and Remove are separate. You can grant the right to add without granting the right to remove (or vice versa), if that fits the workflow.
Administrators by default have full membership management on the top organizational unit.
Allow vs. Deny: An explicit Deny wins over an inherited Allow.