A user opens a Group [sys_user_group] record. It appears read-only and/or the user is unable to edit the Group Members. When saving the Group Members, depending on the user's role(s) you may see the following message:
"Security users can only modify own security groups, changes not saved."
Debugging Security (ACL's) may indicate the user is failing access due to "IAccessHandler"
Plugin [Security Incident Response - com.snc.security_incident]
Users without [sn_si.admin] role may encounter these symptoms if one of the Roles contained by the Group is a Security Incident Role. Check the Roles related list for 'sn_si.' roles.
Users with [sn_si.admin] role may encounter these symptoms if the group does not have a valid Security group type [sys_user_group.type]. This is because sn_si.admin users - although are granted the 'user_admin' role - are prevented from updating non-security groups.
You may resolve this by reconfiguring your groups, roles, or customizing the controlling Script Include. By ensuring the 'sn_si.admin' user also inherits the 'user_admin' role from a secondary group will bypass the script's check. The Script Include is "SecurityIncidentUtils" and is part of the Security Incident scoped application. Lines 954 - 983 contain the methods 'shouldAbortNonSecurityGroupMemberUpdate' and '_isSecurityGroupType.'
The IAccessHandler permissions are not able to be bypassed with ACL's, so creating additional ACL's will not help in this case.