There are a number of functions in NetCommunity for which rights are not very granular.

Hopefully, I haven't missed anything, but going through Organization and Site settings, what I'd like to see improved is this:

1) Under Organization Settings: Miscellaneous Tasks > Edit Organization Settings and Rights

For this setting, there is only the ability to allow Edit or No Access. Under Organization settings are six areas: General; Web Services; Caching, Schedules; Financial; Social Media; API. 

Realistically, it would be nice to be able to grant view/edit to each of these particular areas. Things like Web Services configuration, Caching, and Schedules should at the very least be limitable (view only). The General "tab" needs to be divided into sub areas, along with the potential for View/Edit in each of the major areas. At the very least, I would not want to grant someone the ability to edit SSL settings (for example) or HTML tags. However, certain users that are managing website content probably ought to at least be able to see the Attributes/Titles that are usable within the site, and others ought to be able to change it - however, this should not require granting access to change things like Web Services, which deal with the configuration for connection to the REWS host.

2) Under Organization Settings: URL Redirects is either Full Rights or None

(Note: this setting does not appear to be documented in the v7.0 version of the NetCommunity Security Document)

Proposed Changes: Add the ability to only view redirects; Allow the ability to restrict the ability to re-direct to non-organizational sites. All for someone to be able to only redirect within a site over which they have control.

3) Allow limited subset of User Management to non-Supervisor users.

Right now, Supervisor rights are required in order to manage users. However, this grants the ability to create other Supervisor users that may or may not be members of the organization (See Audit Log, below). It might be nice to see the for non-supervisor users to be assigned a sub-set of Roles to which they can assign other users. (E.g., John can see the Content Author role and assign specific users to it, but cannot create new users that belong to the Supervisor role or other Roles for which he has not been given access.) This would potentially allows some freedom while not giving away the keys to the kingdom, as Security Role definition still remains in the hands of true system Supervisors.

The other thing that is connected to this that I'd like to see is an audit log. Specifically, if one finds oneself in the unenviable position of having to grant supervisor rights (or, even if there are multiple supervisors in one's organization) rights to a significant number of users, it would be nice to be able to have a log of (by user, date/time, site, etc.) events to be able to trace activity:

a) Changes to Organization Settings

b) Addition/Modification/Removal of other Supervisor Level Users (granting Supervisor means that one can grant and quickly remove other Supervisors)

c) Addition of/Changes to Roles, Task Groups and User -> Role -> Task Setting assignments. (Allow to be configured for specific 

d) The creation of new sites should be audited/logged.

e) The creation of new Merchant Accounts, and the assignment of Merchant Accounts to specific parts should be logged.

Just a couple of thoughts - hopefully they would contribute to a structured separation of duties! Thanks in advance for your consideration!

Matt