Hi Hans,
I. For self service password reset, the document provided by Matt Pollicove is the best one !!
II. For service desk - "this group should reset all passwords".
1. Create an ordered task which resets the password for the selected user.
2. Create a role, say BizRole_ServiceDesk
3. Go to the Access control tab and maintain the access control as shown below.
4. Assign the role BizRole_serviceDesk. Ensure you giving him the privilege to Manage tab, i.e MX_PRIV:WD:TAB_MANAGE. I would suggest you to add this privilege as a member privilege on the role.
III. "Authority manager: This group should assign security roles to users without changing the other user attributes."
1. Create an ordered task for role assignment. Since you want to restrict the users from changing any other attribute other than the roles, make all the attributes as read only except the MXREF_MX_ROLE (& MXREF_MX_PRIVILEGE, if required) attribute.
2. Create a role, say BizRole_AuthorityManager
3. Go to the Access control tab and maintain the access control as Bizrole_AuthorityManager, similary to the screenshot under query 2.
4. Assign the role BizRole_AuthorityManager. Ensure you giving him the privilege to Manage tab, i.e MX_PRIV:WD:TAB_MANAGE. I would suggest you to add this privilege as a member privilege on the role.
All the best !!
~ Krishna.