Hide custom compliance management form subgroup non-owners
Problem
Currently, a subgroup owner can attempt to create a custom compliance framework when they are not an owner of the root group. But this process fails validation because the user is not an owner of the root group.
Compliance frameworks are always created on the root level, even when created via a subgroup's settings page.
Technically, this is the correct behaviour. Owners of subgroups that are not owners of the subgroup's root group should not be able to create compliance frameworks.
From a user experience perspective, this is not ideal as it gives the user the impression that they can perform an action when they cannot.
Parent Group Permissions | Subgroup Permissions | Can see form? | Can create framework? |
---|---|---|---|
Owner | Owner | Yes | Yes |
Developer | Owner | Yes | No |
Proposal
- Remove the ability for users who do not have
owner_access
to a subgroup's root ancestor to add/remove/update compliance frameworks on all subgroups.
OR
- Remove the ability to add compliance frameworks via a subgroup's settings page for all users to make it clear that compliance frameworks are always added to the root ancestor anyway.
AND
- Update the documentation to make this behaviour clearer.
Edited by Max Woolf