In our organization, we have one person who is in charge of managing permissions on the various platforms we use, including Octopus.
This user has no need to anything else on Octopus other than manage user permissions. He doesn’t need, nor does he want, the ability to do anything with releases or deployments.
Is it possible to give him the ability to manage user’s permissions (including Octopus admins) without being an Octopus Admin himself?
In order to prevent users from being able to elevate their own permissions within Octopus a user can only add other users to teams that have permissions of the same level or below the editing user.
Having it work the way you describe may initially seem like applying least privilege it is actually the opposite as that user would have the ability to create admin level users. Meaning that user technically is able to create a full admin user and gain access to your entire system.
The only real solution to this would be to use an external with provider such as active directory where the users and teams can be managed outside of octopus by a user who doesn’t have access to octopus themselves.
You could perhaps create some scripts against the API to automate the management of users and pair this with an admin level Octopus service account API key which would provide the permissions needed without being able to log in to Octopus.