With the release of 5.28, we have introduced a new admin role permission to allow restrictions to be placed on department admins taking advantage of Self and Automatic Enrollment functionality when adding or editing courses. By default the new ENROLL ANYONE permission has been enabled for all existing admins, so you will not see any changes to functionality until you deliberately opt out of this permission when building a new custom role. When maintaining availability rules within a course, department admins without this permission will see a mandatory department (and sub-departments) filter applied based on the departments that they oversee. Additional criteria can be added to further filter down the users this course will be made available to, but this department can not be removed by the admin. Any time a new admin goes into a course to edit it, the department filters will be updated to the current admin's user management permissions. Effectively, every department admin's base "all users" filter will only ever include the users they manage.
In order to configure the role permissions for this new functionality, ENROLL ANYONE must be enabled within the user Roles report. You can find this new permission option located under ENROLLMENTS when editing individual roles. When enabled, admins are able to enroll users from any department, regardless of their own department.
This new permission allows for a granular approach when it comes to the availability permissions for department admins created in future, and what learners they have access to.