is there a way to block [players] from using the commands on all higher groups BUT still be able to use it own members in their group?
This is a snippet from a forum post where I helped someone with can_target. Hopefully you will also find it useful!
Say you had the following groups: superadmin, admin, operator, users
If you want each group to target their own group and any groups under them, you'd set their can_target to be this:
superadmin: * (or leave blank)
admin: !%superadmin
operator: !%admin
user: !%operator
To explain, the ! means not, % means group followed by the group name. So you can really just say it out loud for it to make sense:
'ulx setgroupcantarget operator "!%admin"' means "operator can target NOT group admin" (This also means they can't target superadmins, because the superadmin group inherits from admin)
So, to solve the problem above, you would do: "ulx setgroupcantarget mod !%mod,^" This means "mod can target NOT group mod, can target self" (The comma basically just adds another separate parameter)
Update regarding Inheritance and branching:With the inheritance system, it is possible to create multiple branches of inheritance. This is a VERY advanced functionality, and the only real benefit it provides is being able to more easily set different sets of permissions for different "branches" of groups. In all reality,
there's a 99% chance you don't need to do it this way. You can accomplish a similar thing by creating a linear inheritance branch, then just deny the permissions you don't want the higher groups to have.
If you do decide to go the inheritance branch route, you'll need to set up can_target values manually. I'll quote what I said from a different thread about the subject:
Right now, your tree looks like this (in wonderful ASCII form):
moderator <- donoradmin <- trialstaff <- donormod <- legacy <- trusted <- regular \
> user
superadmin <- admin /
So, when you specify that "donormod" can_target "!%trialstaff", you're saying "donormod can't target trialstaff or any group that inherits from it", meaning donoradmin and moderator. This does NOT say anything about the superadmin and admin groups, which are on a different branch. Unfortunately, due to how the , operator works (as a Union), setting the can_target to "!%trialstaff,!%admin", or even "!%trialstaff,!#superadmin,!#admin" will NOT work like you think it would.
The only benefit branching provides is if you have completely different sets of command accesses you want to give to each branch, say, if you wanted to give moderators something you didn't want to give admins. Still, this can be also solved by using "ulx groupdeny" to prevent a group from inheriting access from a lower command.
So if you want to keep the branching, you'll have to go through each can_target and manually specify the groups you want them to target. donormod's can_target would become: "#legacy,#trusted,#regular,#user" (Needless to say, ULX's targeting system wasn't quite designed to handle this kind of complicated inheritance targeting, Megiddo has mentioned it in other threads.)
