Hi @j prasad ,
Thanks for reaching out.
Your understanding is correct here.
If a user is assigned the Global Administrator role directly, they will have access to the Group Expiration settings. However, if the Global Administrator role is granted via a group, they will not have access to the Group Expiration settings**.**
This is because group-based permissions are evaluated differently than direct permissions. In the case of direct permissions, the user is granted the permission directly, without any intermediary group**.** This means that the user has permission regardless of any group membership.
In the case of group-based permissions, the user is granted permission through membership in a group**.** This means that the user only has permission if they are a member of the group that has been granted the permission.
When a user has both direct and group-based permissions, the more restrictive permission takes precedence.
Hope this will help.
Thanks,
Shweta
Please remember to "Accept Answer" if answer helped you.