I'm not sure if there is existing functionality surrounding this, but we are trying to come up with a way that we can heavily restrict user access.
At the moment, only our engineering team have access to Phabricator. We have additional teams (which do QA related things) who need to report bugs to the engineering team, but should otherwise have very restricted access to Phabricator. We don't want these users to have access to tickets that they are not involved with (I.e. not the author and not CCed) and we don't want these users to have access to Diffusion and differential.
I guess there's a few ways that this could be achieved:
# Allow custom user types (there is currently "Normal", "Bot" and "Disabled") to be defined with custom permissions.
# Allow a global minimum policy for all applications to be set in the configuration