Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/DisabledUserManageAction.java
===================================================================
diff -u -r622101803252450b96cc9882a17ae20de4f6e431 -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/DisabledUserManageAction.java	(.../DisabledUserManageAction.java)	(revision 622101803252450b96cc9882a17ae20de4f6e431)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/DisabledUserManageAction.java	(.../DisabledUserManageAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -37,6 +37,10 @@
 import org.lamsfoundation.lams.admin.service.AdminServiceProxy;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
+import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 
 /**
  * @author jliew
@@ -54,17 +58,17 @@
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
-		if (!request.isUserInRole(Role.SYSADMIN)) {
-			request.setAttribute("errorName","UserAction");
+		IUserManagementService service = AdminServiceProxy.getService(getServlet().getServletContext());
+		
+		if (!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())) {
+			request.setAttribute("errorName","DisabledUserManageAction");
 			request.setAttribute("errorMessage",AdminServiceProxy
 					.getMessageService(getServlet().getServletContext())
 					.getMessage("error.need.sysadmin"));
 			return mapping.findForward("error");
 		}
 		
-		List users = AdminServiceProxy
-			.getService(getServlet().getServletContext())
-			.findByProperty(User.class, "disabledFlag", true);
+		List users = service.findByProperty(User.class, "disabledFlag", true);
 		log.debug("got "+users.size()+" disabled users");
 		request.setAttribute("users", users);
 		
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java
===================================================================
diff -u -r970051cfc82b903b4bb236a80e6e720efba93889 -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java	(.../OrgManageAction.java)	(revision 970051cfc82b903b4bb236a80e6e720efba93889)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrgManageAction.java	(.../OrgManageAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -130,10 +130,11 @@
 			for(int i=0; i<organisations.size(); i++){
 				Organisation organisation = (Organisation)organisations.get(i);
 				Organisation parentOrg = (type.equals(OrganisationType.CLASS_TYPE)) ? organisation.getParentOrganisation() : organisation;
-				// do not list this org as a child if requestor is not an admin or manager in the parent
+				// do not list this org as a child if requestor is not an admin or manager in the parent, or global admin
 				if (!request.isUserInRole(Role.SYSADMIN)) {
 					if (!(service.isUserInRole(userId, parentOrg.getOrganisationId(), Role.COURSE_ADMIN)
-							|| service.isUserInRole(userId, parentOrg.getOrganisationId(), Role.COURSE_MANAGER)))
+							|| service.isUserInRole(userId, parentOrg.getOrganisationId(), Role.COURSE_MANAGER)
+							|| service.isUserGlobalGroupAdmin()))
 						continue;
 				}
 				// do not list this org if it is not a child of the requested parent
@@ -150,8 +151,10 @@
 		}
 		orgManageForm.setOrgManageBeans(orgManageBeans);
 		request.setAttribute("OrgManageForm",orgManageForm);
-		// let the jsp know whether to display the 'create group' link
-		request.setAttribute("isSysadmin",request.isUserInRole(Role.SYSADMIN));
+		// let the jsp know whether to display links
+		request.setAttribute("createOrEditGroup",request.isUserInRole(Role.SYSADMIN)
+				|| service.isUserGlobalGroupAdmin());
+		request.setAttribute("manageGlobalRoles", request.isUserInRole(Role.SYSADMIN));
 		return mapping.findForward("orglist");
 	}
 
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrganisationAction.java
===================================================================
diff -u -r1350f430376f5ac5788f66e03d5207d4119384bd -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrganisationAction.java	(.../OrganisationAction.java)	(revision 1350f430376f5ac5788f66e03d5207d4119384bd)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/OrganisationAction.java	(.../OrganisationAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -41,10 +41,13 @@
 import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.SupportedLocale;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
 import org.lamsfoundation.lams.util.MessageService;
 import org.lamsfoundation.lams.util.WebUtil;
 import org.lamsfoundation.lams.web.action.LamsDispatchAction;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 
 /**
  * @author Fei Yang
@@ -72,7 +75,18 @@
 		initLocalesAndStatus();
 		DynaActionForm orgForm = (DynaActionForm)form;
 		Integer orgId = WebUtil.readIntParam(request,"orgId",true);
-
+		
+		if(!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())) { 
+			if (orgForm.get("typeId")!=null && orgForm.get("typeId").equals(OrganisationType.COURSE_TYPE)
+					|| orgForm.get("typeId")==null) {
+				// only sysadmin and global group admin can create/edit groups
+				messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
+				request.setAttribute("errorName", "OrganisationAction");
+				request.setAttribute("errorMessage", messageService.getMessage("error.authorisation"));
+				return mapping.findForward("error");
+			}
+		}
+		
 		if(orgId != null){//editing existing organisation
 			Organisation org = (Organisation)service.findById(Organisation.class,orgId);
 			BeanUtils.copyProperties(orgForm,org);
@@ -83,12 +97,6 @@
 			orgForm.set("stateId",org.getOrganisationState().getOrganisationStateId());
 			SupportedLocale locale = org.getLocale();
 			orgForm.set("localeId",locale != null ? locale.getLocaleId() : null);
-		} else if(!request.isUserInRole(Role.SYSADMIN) && orgForm.get("typeId").equals(OrganisationType.COURSE_TYPE)) {
-			// only sysadmin can create new group
-			messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
-			request.setAttribute("errorName", "OrganisationAction");
-			request.setAttribute("errorMessage", messageService.getMessage("error.authorisation"));
-			return mapping.findForward("error");
 		} else {
 			// creating new organisation
 			orgForm.set("orgId", null);
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserAction.java
===================================================================
diff -u -r6c4022a99549f63f088ce13e0e201492a39c30da -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserAction.java	(.../UserAction.java)	(revision 6c4022a99549f63f088ce13e0e201492a39c30da)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserAction.java	(.../UserAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -28,6 +28,7 @@
 import java.util.Collections;
 import java.util.List;
 
+import javax.servlet.ServletContext;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -77,17 +78,25 @@
 public class UserAction extends LamsDispatchAction {
 
 	private static Logger log = Logger.getLogger(UserAction.class);
-	private static IUserManagementService service;
-	private static MessageService messageService;
+	private IUserManagementService service;
+	private MessageService messageService;
 	private static List<SupportedLocale> locales;
 	
+	private void initServices() {
+		if (service==null) {
+			service = AdminServiceProxy.getService(getServlet().getServletContext());
+		}
+		if (messageService==null) {
+			messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
+		}
+	}
+	
 	public ActionForward edit(ActionMapping mapping,
             ActionForm form,
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
-		service = AdminServiceProxy.getService(getServlet().getServletContext());
-		messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
+		initServices();
 		if (locales==null) {
 			locales = service.findAll(SupportedLocale.class);
 			Collections.sort(locales);
@@ -99,19 +108,20 @@
 		
 		// test requestor's permission
 		Organisation org = null;
-		Boolean requestorHasRole = false;
+		Boolean requestorHasRole = service.isUserGlobalGroupAdmin();
 		if (orgId!=null) {
 			org = (Organisation)service.findById(Organisation.class,orgId);
-			OrganisationType orgType = org.getOrganisationType();
-			Integer orgIdOfCourse = (orgType.getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) 
-				? org.getParentOrganisation().getOrganisationId() : orgId;
-			User requestor = (User)service.getUserByLogin(request.getRemoteUser());
-			requestorHasRole = service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_ADMIN)
-				|| service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_MANAGER);
+			if (!requestorHasRole) {
+				OrganisationType orgType = org.getOrganisationType();
+				Integer orgIdOfCourse = (orgType.getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) 
+					? org.getParentOrganisation().getOrganisationId() : orgId;
+				User requestor = (User)service.getUserByLogin(request.getRemoteUser());
+				requestorHasRole = service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_ADMIN)
+					|| service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_MANAGER);
+			}
 		}
-		Boolean isSysadmin = request.isUserInRole(Role.SYSADMIN);
 		
-		if (!(requestorHasRole || isSysadmin)) {
+		if (!(requestorHasRole || request.isUserInRole(Role.SYSADMIN))) {
 			request.setAttribute("errorName", "UserAction");
 			request.setAttribute("errorMessage", messageService.getMessage("error.authorisation"));
 			return mapping.findForward("error");
@@ -157,6 +167,7 @@
 	
 	// display user's global roles, if any
 	private UserOrgRoleDTO getGlobalRoles(User user) {
+		initServices();
 		UserOrganisation uo = service.getUserOrganisation(user.getUserId(),
 				service.getRootOrganisation().getOrganisationId());
 		if (uo==null) return null;
@@ -173,6 +184,7 @@
 	// display user's organisations and roles in them
 	private List<UserOrgRoleDTO> getUserOrgRoles(User user) {
 		
+		initServices();
 		List<UserOrgRoleDTO> uorDTOs = new ArrayList<UserOrgRoleDTO>();
 		List<UserOrganisation> uos = service.getUserOrganisationsForUserByTypeAndStatus(
 				user.getLogin(), 
@@ -215,12 +227,11 @@
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
-		service = AdminServiceProxy.getService(getServlet().getServletContext());
-		messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
+		initServices();
 		
-		if (!request.isUserInRole(Role.SYSADMIN)) {
+		if (!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())) {
 			request.setAttribute("errorName","UserAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.need.sysadmin"));
+			request.setAttribute("errorMessage",messageService.getMessage("error.authorisation"));
 			return mapping.findForward("error");
 		}
 		
@@ -240,18 +251,18 @@
             ActionForm form,
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
-
-		messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
 		
-		if (!request.isUserInRole(Role.SYSADMIN)) {
+		initServices();
+		
+		if (!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())) {
 			request.setAttribute("errorName","UserAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.need.sysadmin"));
+			request.setAttribute("errorMessage",messageService.getMessage("error.authorisation"));
 			return mapping.findForward("error");
 		}
 		
 		Integer orgId = WebUtil.readIntParam(request,"orgId",true);
 		Integer userId = WebUtil.readIntParam(request,"userId");
-		AdminServiceProxy.getService(getServlet().getServletContext()).disableUser(userId);
+		service.disableUser(userId);
 		String[] args = new String[1];
 		args[0] = userId.toString();
 		String message = messageService.getMessage("audit.user.disable", args);
@@ -270,18 +281,18 @@
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
-		messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
+		initServices();
 		
-		if (!request.isUserInRole(Role.SYSADMIN)) {
+		if (!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())) {
 			request.setAttribute("errorName","UserAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.need.sysadmin"));
+			request.setAttribute("errorMessage",messageService.getMessage("error.authorisation"));
 			return mapping.findForward("error");
 		}
 		
 		Integer orgId = WebUtil.readIntParam(request,"orgId",true);
 		Integer userId = WebUtil.readIntParam(request,"userId");
 		try {
-			AdminServiceProxy.getService(getServlet().getServletContext()).removeUser(userId);
+			service.removeUser(userId);
 		} catch (Exception e) {
 			request.setAttribute("errorName","UserAction");
 			request.setAttribute("errorMessage",e.getMessage());
@@ -306,12 +317,11 @@
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
-		service = AdminServiceProxy.getService(getServlet().getServletContext());
-		messageService = AdminServiceProxy.getMessageService(getServlet().getServletContext());
+		initServices();
 		
-		if (!request.isUserInRole(Role.SYSADMIN)) {
+		if (!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())) {
 			request.setAttribute("errorName","UserAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.need.sysadmin"));
+			request.setAttribute("errorMessage",messageService.getMessage("error.authorisation"));
 			return mapping.findForward("error");
 		}
 		
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java
===================================================================
diff -u -r622101803252450b96cc9882a17ae20de4f6e431 -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java	(.../UserManageAction.java)	(revision 622101803252450b96cc9882a17ae20de4f6e431)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserManageAction.java	(.../UserManageAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -83,18 +83,14 @@
 			orgId = (Integer)request.getAttribute("org");
 		}
 		if((orgId==null)||(orgId<=0)){
-			request.setAttribute("errorName","UserManageAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.org.invalid"));
-			return mapping.findForward("error");
+			return forwardError(mapping, request, "error.org.invalid");
 		}
 		log.debug("orgId: "+orgId);
 		
 		// get org name
 		Organisation organisation = (Organisation)service.findById(Organisation.class,orgId);
 		if(organisation==null) {
-			request.setAttribute("errorName","UserManageAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.org.invalid"));
-			return mapping.findForward("error");
+			return forwardError(mapping, request, "error.org.invalid");
 		}
 		String orgName = organisation.getName();
 		log.debug("orgName: "+orgName);
@@ -113,17 +109,18 @@
 		Integer userId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 		Organisation orgOfCourseAdmin = (orgType.getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) ? pOrg : organisation;
         // check permission
-		if(request.isUserInRole(Role.SYSADMIN)){
+		Integer rootOrgId = service.getRootOrganisation().getOrganisationId();
+		if(request.isUserInRole(Role.SYSADMIN) 
+				|| (service.isUserGlobalGroupAdmin() && !orgId.equals(rootOrgId))){
 			userManageForm.setCourseAdminCanAddNewUsers(true);
 			userManageForm.setCourseAdminCanBrowseAllUsers(true);
-		}else if(service.isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_ADMIN) 
-				|| service.isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_MANAGER)){
+		}else if((service.isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_ADMIN) 
+				|| service.isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_MANAGER))
+				&& !orgId.equals(rootOrgId)){
 			userManageForm.setCourseAdminCanAddNewUsers(orgOfCourseAdmin.getCourseAdminCanAddNewUsers());
 			userManageForm.setCourseAdminCanBrowseAllUsers(orgOfCourseAdmin.getCourseAdminCanBrowseAllUsers());
 		}else{
-			request.setAttribute("errorName","UserManageAction");
-			request.setAttribute("errorMessage",messageService.getMessage("error.authorisation"));
-			return mapping.findForward("error");
+			return forwardError(mapping, request, "error.authorisation");
 		}
 		
 		userManageForm.setOrgId(orgId);
@@ -135,5 +132,15 @@
 		
 		return mapping.findForward("userlist");
 	}
+	
+	private ActionForward forwardError(ActionMapping mapping, HttpServletRequest request, String key) {
+		request.setAttribute("errorName","UserManageAction");
+		if (key.equals("error.org.invalid")) {
+			request.setAttribute("errorMessage",messageService.getMessage("error.org.invalid"));
+		} else if (key.equals("error.authorisation")) {
+			request.setAttribute("errorMessage",messageService.getMessage("error.authorisation"));
+		}
+		return mapping.findForward("error");
+	}
 
 }
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java
===================================================================
diff -u -ra7b0a98ccdef7a9308b07052506a7d3d8ecfa307 -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java	(.../UserOrgAction.java)	(revision a7b0a98ccdef7a9308b07052506a7d3d8ecfa307)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserOrgAction.java	(.../UserOrgAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -105,7 +105,8 @@
 		Integer userId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 		List users = new ArrayList<User>();
 		Organisation orgOfCourseAdmin = (orgType.equals(OrganisationType.CLASS_TYPE)) ? parentOrg : organisation;
-		if(request.isUserInRole(Role.SYSADMIN)){
+		if(request.isUserInRole(Role.SYSADMIN) 
+				|| service.isUserGlobalGroupAdmin()){
 			users = service.findAll(User.class);
 		}else if(service.isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_ADMIN)
 				|| service.isUserInRole(userId,orgOfCourseAdmin.getOrganisationId(),Role.COURSE_MANAGER)){
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserRolesAction.java
===================================================================
diff -u -r7d91e93ee10b2f84a9a7cc6b83b0cacde0f7affc -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserRolesAction.java	(.../UserRolesAction.java)	(revision 7d91e93ee10b2f84a9a7cc6b83b0cacde0f7affc)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserRolesAction.java	(.../UserRolesAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -111,8 +111,10 @@
 			? org.getParentOrganisation().getOrganisationId() : orgId;
 		Boolean isSysadmin = request.isUserInRole(Role.SYSADMIN);
 		User requestor = (User)service.getUserByLogin(request.getRemoteUser());
-		Boolean requestorHasRole = service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_ADMIN)
-			|| service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_MANAGER);
+		Integer rootOrgId = service.getRootOrganisation().getOrganisationId();
+		Boolean requestorHasRole = service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_MANAGER)
+			|| (service.isUserInRole(requestor.getUserId(), orgIdOfCourse, Role.COURSE_ADMIN) && !rootOrgId.equals(orgId))
+			|| (service.isUserGlobalGroupAdmin() && !rootOrgId.equals(orgId));
 		
 		if (!(requestorHasRole || isSysadmin)) {
 			request.setAttribute("errorName","UserRolesAction");
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserSearchAction.java
===================================================================
diff -u -r8ffa8e9a03c0d185ac035fa6e014e9cc542ca11a -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserSearchAction.java	(.../UserSearchAction.java)	(revision 8ffa8e9a03c0d185ac035fa6e014e9cc542ca11a)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/UserSearchAction.java	(.../UserSearchAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -44,8 +44,6 @@
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
-import org.springframework.web.context.WebApplicationContext;
-import org.springframework.web.context.support.WebApplicationContextUtils;
 
 /**
  * @author jliew
@@ -74,17 +72,17 @@
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
-		if(!request.isUserInRole(Role.SYSADMIN)){
-			log.debug("user not in role sysadmin");
+		service = AdminServiceProxy.getService(getServlet().getServletContext());
+		DynaActionForm userSearchForm = (DynaActionForm)form;
+		
+		if(!(request.isUserInRole(Role.SYSADMIN) || service.isUserGlobalGroupAdmin())){
+			log.debug("user not sysadmin or global group admin");
 			ActionMessages errors = new ActionMessages();
 			errors.add("authorisation",new ActionMessage("error.authorisation"));
 			saveErrors(request,errors);
 			request.setAttribute("isSysadmin",false);
 			return mapping.findForward("usersearchlist");
 		}
-
-		service = AdminServiceProxy.getService(getServlet().getServletContext());
-		DynaActionForm userSearchForm = (DynaActionForm)form;
 		
 		String userId = ((String)userSearchForm.get("sUserId")).trim();
 		String login = ((String)userSearchForm.get("sLogin")).trim();
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/action/SysAdminStartAction.java
===================================================================
diff -u -r44f9636e4923ab01e51ff46d67b190caf4c93012 -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/action/SysAdminStartAction.java	(.../SysAdminStartAction.java)	(revision 44f9636e4923ab01e51ff46d67b190caf4c93012)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/action/SysAdminStartAction.java	(.../SysAdminStartAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -35,6 +35,10 @@
 import org.lamsfoundation.lams.admin.service.AdminServiceProxy;
 import org.lamsfoundation.lams.admin.web.dto.LinkBean;
 import org.lamsfoundation.lams.usermanagement.Role;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
+import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 
 /**
  * @author jliew
@@ -44,11 +48,15 @@
  */
 public class SysAdminStartAction extends Action {
 	
+	private static IUserManagementService service;
+	
 	public ActionForward execute(ActionMapping mapping,
             ActionForm form,
             HttpServletRequest request,
             HttpServletResponse response) throws Exception {
 		
+		service = AdminServiceProxy.getService(getServlet().getServletContext());
+		
 		ArrayList<LinkBean> links = new ArrayList<LinkBean>();
 		if (request.isUserInRole(Role.SYSADMIN)) {
 			LinkBean linkBean = new LinkBean("cache.do", "cache.title");
@@ -72,6 +80,13 @@
 		} else if (request.isUserInRole(Role.AUTHOR_ADMIN)) {
 			LinkBean linkBean = new LinkBean("toolcontentlist.do", "sysadmin.edit.default.tool.content");
 			links.add(linkBean);
+		} else if (service.isUserGlobalGroupAdmin()) {
+			LinkBean linkBean = new LinkBean("usersearch.do", "admin.user.find");
+			links.add(linkBean);
+			linkBean = new LinkBean("importexcel.do", "admin.user.import");
+			links.add(linkBean);
+			linkBean = new LinkBean("disabledmanage.do", "admin.list.disabled.users");
+			links.add(linkBean);
 		} else {
 			request.setAttribute("errorName", "SysAdminStartAction");
 			request.setAttribute("errorMessage", AdminServiceProxy
Index: lams_admin/web/orglist.jsp
===================================================================
diff -u -rd32ad084559609b1bf57bfe096a7e8634bf0f265 -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_admin/web/orglist.jsp	(.../orglist.jsp)	(revision d32ad084559609b1bf57bfe096a7e8634bf0f265)
+++ lams_admin/web/orglist.jsp	(.../orglist.jsp)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -6,17 +6,19 @@
 		<a href="orgmanage.do?org=<bean:write name="OrgManageForm" property="parentId"/>"><fmt:message key="admin.course.manage" /></a>
 	</h2>
 	<p>&nbsp;</p>
-	<logic:equal name="isSysadmin" value="true">
+	<p align="right">
+	<logic:equal name="createOrEditGroup" value="true">
 		<c:url var="editaction" value="organisation.do">
 			<c:param name="method" value="edit" />
 			<c:param name="typeId" value="2" />
 			<c:param name="parentId" value="${OrgManageForm.parentId}" />
 		</c:url>
-		<p align="right">
-			<input class="button" type="button" value='<fmt:message key="admin.course.add"/>' onclick=javascript:document.location='<c:out value="${editaction}"/>' />
-			<input class="button" type="button" value='<fmt:message key="admin.global.roles.manage" />' onclick=javascript:document.location='usermanage.do?org=<c:out value="${OrgManageForm.parentId}"/>' />
-		</p>
+		<input class="button" type="button" value='<fmt:message key="admin.course.add"/>' onclick=javascript:document.location='<c:out value="${editaction}"/>' />
 	</logic:equal>
+	<logic:equal name="manageGlobalRoles" value="true">
+		<input class="button" type="button" value='<fmt:message key="admin.global.roles.manage" />' onclick=javascript:document.location='usermanage.do?org=<c:out value="${OrgManageForm.parentId}"/>' />
+	</logic:equal>
+	</p>
 </logic:equal>
 <logic:equal name="OrgManageForm" property="type" value="2">
 	<h2>
@@ -33,7 +35,9 @@
 	<p align="right">
 		<input class="button" type="button" value='<fmt:message key="admin.class.add"/>' onclick=javascript:document.location='<c:out value="${editaction}"/>' />
 		<input class="button" type="button" value='<fmt:message key="admin.user.manage" />' onclick=javascript:document.location='usermanage.do?org=<c:out value="${OrgManageForm.parentId}"/>' />
-		<input class="button" type="button" value='<fmt:message key="admin.edit" /> <bean:write name="OrgManageForm" property="parentName"/>' onclick=javascript:document.location='organisation.do?method=edit&orgId=<c:out value="${OrgManageForm.parentId}"/>' />
+		<logic:equal name="createOrEditGroup" value="true">
+			<input class="button" type="button" value='<fmt:message key="admin.edit" /> <bean:write name="OrgManageForm" property="parentName"/>' onclick=javascript:document.location='organisation.do?method=edit&orgId=<c:out value="${OrgManageForm.parentId}"/>' />
+		</logic:equal>
 	</p>
 </logic:equal>
 <table class=alternative-color width=100%>
Index: lams_build/lib/lams/lams.jar
===================================================================
diff -u -rb0dcfbd991bc7a05258b95533511ab70208beb64 -r4c272618da715b9f814eb81630e92abf2ef1a736
Binary files differ
Index: lams_central/src/java/org/lamsfoundation/lams/web/IndexAction.java
===================================================================
diff -u -re3bc6fc68e7c64c4771a1f9a3056e4d750bea26d -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_central/src/java/org/lamsfoundation/lams/web/IndexAction.java	(.../IndexAction.java)	(revision e3bc6fc68e7c64c4771a1f9a3056e4d750bea26d)
+++ lams_central/src/java/org/lamsfoundation/lams/web/IndexAction.java	(.../IndexAction.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -45,9 +45,9 @@
 import org.lamsfoundation.lams.usermanagement.UserOrganisation;
 import org.lamsfoundation.lams.usermanagement.UserOrganisationRole;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
-import org.lamsfoundation.lams.util.WebUtil;
 import org.lamsfoundation.lams.util.Configuration;
 import org.lamsfoundation.lams.util.ConfigurationKeys;
+import org.lamsfoundation.lams.util.WebUtil;
 import org.springframework.web.context.WebApplicationContext;
 import org.springframework.web.context.support.WebApplicationContextUtils;
 
@@ -166,7 +166,7 @@
 		List<IndexLinkBean> adminLinks = new ArrayList<IndexLinkBean>();
 		if (request.isUserInRole(Role.SYSADMIN) || request.isUserInRole(Role.COURSE_ADMIN) || request.isUserInRole(Role.COURSE_MANAGER))
 			adminLinks.add(new IndexLinkBean("index.courseman", "javascript:openOrgManagement(" + getService().getRootOrganisation().getOrganisationId()+')'));
-		if (request.isUserInRole(Role.SYSADMIN) || request.isUserInRole(Role.AUTHOR_ADMIN))
+		if (request.isUserInRole(Role.SYSADMIN) || request.isUserInRole(Role.AUTHOR_ADMIN) || getService().isUserGlobalGroupAdmin())
 			adminLinks.add(new IndexLinkBean("index.sysadmin", "javascript:openSysadmin()"));
 		request.setAttribute("adminLinks", adminLinks);
 	}
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/IUserManagementService.java
===================================================================
diff -u -r014f8d44ccd74d20a8c00442ee9dd013521f4aea -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/IUserManagementService.java	(.../IUserManagementService.java)	(revision 014f8d44ccd74d20a8c00442ee9dd013521f4aea)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/IUserManagementService.java	(.../IUserManagementService.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -359,4 +359,9 @@
 	 */
 	public void deleteChildUserOrganisations(User user, Organisation org);
 	
+	/**
+	 * Return true if user is a global group admin.
+	 * @return
+	 */
+	public boolean isUserGlobalGroupAdmin();
 }
\ No newline at end of file
Index: lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java
===================================================================
diff -u -r014f8d44ccd74d20a8c00442ee9dd013521f4aea -r4c272618da715b9f814eb81630e92abf2ef1a736
--- lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java	(.../UserManagementService.java)	(revision 014f8d44ccd74d20a8c00442ee9dd013521f4aea)
+++ lams_common/src/java/org/lamsfoundation/lams/usermanagement/service/UserManagementService.java	(.../UserManagementService.java)	(revision 4c272618da715b9f814eb81630e92abf2ef1a736)
@@ -56,6 +56,8 @@
 import org.lamsfoundation.lams.usermanagement.dto.UserManageBean;
 import org.lamsfoundation.lams.util.HashUtil;
 import org.lamsfoundation.lams.util.MessageService;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 
 /**
  * <p>
@@ -716,10 +718,12 @@
 			allRoles.remove(role);
 		}
 		if(!orgType.getOrganisationTypeId().equals(OrganisationType.COURSE_TYPE)) {
-			role.setRoleId(Role.ROLE_COURSE_ADMIN);
-			allRoles.remove(role);
 			role.setRoleId(Role.ROLE_COURSE_MANAGER);
 			allRoles.remove(role);
+			if(!orgType.getOrganisationTypeId().equals(OrganisationType.ROOT_TYPE)) {
+				role.setRoleId(Role.ROLE_COURSE_ADMIN);
+				allRoles.remove(role);
+			}
 		}
 		return allRoles;
 	}
@@ -757,4 +761,10 @@
 			}
 		}
 	}
+	
+	public boolean isUserGlobalGroupAdmin() {
+		Integer requestorId = ((UserDTO)SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
+		Integer rootOrgId = getRootOrganisation().getOrganisationId();
+		return isUserInRole(requestorId, rootOrgId, Role.COURSE_ADMIN);
+	}
 }
\ No newline at end of file