- We have all of our FTEs in S1. This is driven my membership in an Employee group. This gives access to more or less everything: tasks, repos, etc. More or less everything is configured to be visible to people in this space.
- We have contractor accounts scattered a cross a few other highly restrictive spaces.. These typically are project membership driven (i.e. a Contractor group) and only allow you to see objects that have explicitly been created in one of these spaces (mostly tasks for a specific contractor workboard.)
We've now found ourselves in a position where we have some contractors that need expanded, but not full, privileges. We want them to be able to see all tasks and our wiki, but they have no need to access/clone source code. The only way I can think of to do this **easily** is to add them to a hidden group like #NoRepo and update Diffusion policies. This seems hacky and worse error prone - it requires a step to **deny** privileges, which is generally a bad idea since it can easily be missed.
An annoyingly-complex solution might be to refactor our spaces completely. I think we'd need to move all objects into new spaces (basically break sets of privileges into separate spaces) and compose new parent spaces out of these, so I could make a `do-everything space` and a `do-everything-except-access-code space`.
We're open to clever solutions using the current tools if you have ideas, but it seems that this might be a gap in the spaces policies. Any thoughts/suggestions would be appreciated!