All ideas are welcome. Just because the Idea doesn't make it into the product immediately does not make it a bad idea.
While we're strong proponents of configurable security checkpoints that would allow us to customize our security to align with our roles, we were directed to suggest specific security combinations that would help us provision our users in the meantime. We have a hub-and-spoke model for governance, meaning we have a centralized enterprise level and sanctioned domain-specific activities which align with the processes set at the enterprise. We would like to see a distinction between creating/modifying assets that are available to the enterprise and creating/modifying assets that are specific to a domain. For example, we may allow our Quality and Patient Safety domain to create rules and policies that they want their team to follow when tracking their terms representing report output, but we wouldn't want them to create or modify enterprise-level rules or policies. Ideally, we'd flag a user as belonging to a level (specific domain or to the enterprise) which would control what they can read, edit, and create.
Guest
We are scoping a more thorough change management and and versioning system that would introduce a more detailed security model to address these type of concerns. This concept of enterprise vs "locally" owned assets is in our plans to support with the exact details of the implementation going through design phases now
