Problem Definition

User Story

As an Optimize admin
I want to prevent arbitrary Optimize users from creating entities
So that I can ensure data restriction

Use Cases

1. Give a user read-only rights to dashboards and reports in Optimize
2. Enforce that all dashboards and reports are in a Collection
3. Prevent the creation of reports with sensitive data

PM Notes (Customer requests, context, assumptions)

1. During trials or in dev environments, all users should be superusers to experience the potential value
2. Access to production data is tightly restricted, especially in government organizations
3. If this isn't hidden behind a config flag, then we need to design around the case where a process owner or developer doesn't have access to any collection. This might involve updating our blank state text and directing them to their admins.
4. Another way to create a new collection is by clicking the "Dashboard" link on the Processes page. A user with access to a given process shouldn't necessarily have access to a collection with dashboard and reports.

Solution Definition

Solution Ideas

1. Disable/hide the Create New button on the main page for non-superusers
2. Prevent non-superusers from creating assets outside a collection (i.e. via Home page)
3. Prevent non-superusers from using the Processes Page magic link to create collections and dashboards
4. Prevent non-superusers from adding themselves to a collection via the Processes page magic link
5. Inform the user how to gain access to a given collection/dashboard (ask the Collection Owner (username) for access
6. Prevent users without access to a given Process Definition to be assigned as the Process Owner
   

Design Notes (Videos, mockups, guidance)

User Scenario

GIVEN
(MH/SH/NTH) WHEN
(MH/SH/NTH) THEN

Metrics (if applicable)