We have OIM 18.104.22.168.0 and support a couple of third party organizations with delegated administration.
Admins in OrgA have an admin role AdminRoleA which allows them to assign UserRoleA to their users. Similarly, admins in OrgB are given AdminRoleB that gives them the ability to assign UserRoleB to their users.
We have support groups that can help these organizations. I have defined the Support role to inherit from AdminRoleA and AdminRoleB. The problem that I'm finding is that the support user can assign UserRoleB to a user in the other organization OrgA.
I could probably solve this by writing custom code in a validation handler but I just wondered if I was missing something and should have configured these roles and auth policies differently.