Updating users with Permission Management rights
As of SDL Web 8.5, the ability to create, modify and delete Users and Groups is no longer a part of the Permission Management right, but is instead contained in a system privilege called Group Management Privilege. As part of the upgrade, you need to decide which users that had the Permission Management right should also have the Group Management Privilege.
Before you begin
To perform this task, you must have the System Administration Privilege (this is true if you were previously a system administrator user) or Group Management Privilege (this is true if you previously had Permission Management rights).
About this task
The upgrade has made all Users and Groups that have Permission Management rights in any Publication to a new Group called "Group Manager", which has been granted Group Management Privilege. This ensures that by default, the upgrade does not disrupt what those users can do.
But the reason for splitting off the management of Users and Groups in a new Privilege is to be able to deny users that Privilege, while allowing them to retain the power to perform other operations covered by the Permission Management right. Therefore, as part of the upgrade, you should manually take away the Group Management Privilege from users who should not have it, which specifically includes members of the default Group called Publication Managers.