=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/User.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/User.java	2014-12-19 16:13:54 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/User.java	2014-12-22 09:30:23 +0000
@@ -248,6 +248,18 @@
     {
         return userCredentials != null && userCredentials.isSuper();
     }
+    
+    /**
+     * Indicates whether this user can manage the given user group. This is derived
+     * from which user groups are managed by the given group.
+     * 
+     * @param userGroup the user group to test.
+     * @return true if the given user group can be managed by this user, false if not.
+     */
+    public boolean canManage( UserGroup userGroup )
+    {
+        return userGroup != null && CollectionUtils.containsAny( groups, userGroup.getManagedByGroups() );
+    }
 
     // -------------------------------------------------------------------------
     // Getters and setters

=== modified file 'dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java'
--- dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java	2014-12-19 16:13:54 +0000
+++ dhis-2/dhis-api/src/main/java/org/hisp/dhis/user/UserGroup.java	2014-12-22 09:30:23 +0000
@@ -51,6 +51,7 @@
     extends BaseIdentifiableObject
 {
     public static final String AUTH_USER_ADD = "F_USER_ADD";
+    public static final String AUTH_USER_ADD_IN_GROUP = "F_USER_ADD_WITHIN_MANAGED_GROUP";
     public static final String AUTH_USER_DELETE = "F_USER_DELETE";
     public static final String AUTH_USER_VIEW = "F_USER_VIEW";
 

=== modified file 'dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java'
--- dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-12-21 20:26:25 +0000
+++ dhis-2/dhis-web/dhis-web-api/src/main/java/org/hisp/dhis/webapi/controller/user/UserController.java	2014-12-22 09:30:23 +0000
@@ -62,7 +62,6 @@
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
-import org.springframework.util.CollectionUtils;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RequestMethod;
@@ -415,7 +414,7 @@
                     throw new CreateAccessDeniedException( "Can't add/update user, can't find user group: " + ug.getUid() );
                 }
 
-                if ( !authorizedToAdd && CollectionUtils.containsAny( group.getManagedByGroups(), currentUser.getGroups() ) )
+                if ( !authorizedToAdd && currentUser.canManage( group ) )
                 {
                     authorizedToAdd = true;
                 }