1 of 1 people found this helpful
Rather than looking at every possible option in the permissions list, do your self service users have access to those workspaces? e.g. if you self service user cannot even see any CI's as they do not have access to the workspace do you need to restrict their permissions to create them? This is the premise that the ootb permissions are set on in my experience, otherwise there are 804 ish object ootb to start with an then 4 options Add, view ,edit, delete and that is before you review any specific field visibility options or other security rules...a lot of possible options there.
When I create my Self Service roles I only make changes to the CI object permissions if I grant the user the ability to view CI's and then I usually only allow a user to see any CI's which are assigned to the them.
Do you have a specific scenario in mind?
Thanks for the reply Alasdair. My situation is somewhat unique as we have many high level roles in our enterprise. I was exaggerating with the Self Service comment but we have actually had folks delete CI's Add Lines Of Business, add and update status values. The proverbial cornucopia of surprises. Never underestimate the end user. I have made some progress. Painful but productive. I think I have scrubbed this pretty well. As we continue to implement I am updating to get a single role established, then I will clone that for others.