We are using Groups instead of Tenants, because right now, most of our users are internal organizational groups and we were told that this was a better way to go. But not everything in Morpheus is enabled for group-level administration. For example, if I allow someone - a group administrator - access to Approvals in their Role, they can actually see and approve anything on the system, not just the resources within their own group. This is kind of bad. Right now, we are in a situation where we have to full administrative rights (keys to the kingdom) to group administrators (and trust they don’t make huge mistakes), if we want to keep these group-specific tasks off our platform team.
I’m sure there are other additional use cases, but the use case that drove this Idea post, was Approvals. It doesn’t seem to matter if I put a Approve Delete policy on a cloud or a specific group, if I give a group administrator the ability to approve deletes, they can see and approve ALL approvals on the system, and not the ones confined to just their own group.