Concourse Feedback

Put Simply:
Enable seamless, territory-aligned view-only access to all Concourse-integrated applications for ECR and other Oversight teams through a hidden “Reviewer” role managed via Save It. Each Territory has Oversight teams (Legal/OGC, Risk Mgmt/OFRO and Engagement Compliance Review (ECR)) that require view-only access to client service work to fulfil review responsibilities. We need to enable a read-only access for Territory's Oversight teams (upon request) to allow visibility across the Concourse platform (Concourse workspaces including all integrated apps), and that is removed when no longer needed

Why it Matters:
Territory oversight teams like OGC, ECR, and R&G need ability to have view-only access to engagement workspaces in Concourse and it’s integrations (Jira, Save It, Miro, etc.) to fufill review responsibilities. Right now, they must ask Concourse Admin for access, and are only able to be given Limited Team Member access, which is not ideal since it gives the user edit access and that team member is visible in the team member list. A smoother, more private way to give access is needed.

Additional Context:
We need a ‘Reviewer’ (View-Only) role in Concourse that:

• Acts as a permission orchestration layer for integrated applications.

• Inherits existing “Save It Oversight” role groups from each territory. [LU NOTE: Since we don't want to all ALL Oversight teams to ALL workspaces due to license cost concerns, we would rather it validate the User's Request against this Oversight group list. Ability to request view-only access should ideally be connected to Save It somehow-as that's where they'll look first.]

• Maps to view-only permissions in connected tools like:

  • Jira Cloud / DC (Jira read-only role)

  • Miro

  • Workbench

  • And any future connected tools

• Avoids duplicating territory management by leveraging Save It’s existing access model.

• Is hidden from front-end UI in Concourse, with any changes managed exclusively through the Save It process.

• Enables seamless, read-only visibility for legal, compliance, and governance reviews in integrated workspaces.

• Automatically removes/revokes access from Concourse and all integrations after 15 days

Acceptance Criteria:

• We need a ‘Reviewer’ (View-Only) role in Concourse with the following rules:

  • Reviewers should be able to add themselves to Concourse (how and from where?).

  • They can join successfully only if they are part of the oversight group in Save it. Otherwise, show an error message.

  • Once added, they should have read-only access in Concourse and all connected systems.

  • Their name should not appear on the front end, in CC and other integrated systems

  • Store their details in the backend with proper logs.

  • After 15 days, they should be removed automatically from Concourse and all integrated systems.

• Questions:

  • Can we control read only access in all the downstream integrated systems?

  • Any specific requirements that need to be considered wrt UC?

  • What happens if the user is no longer a part of the Save it Oversight group, while they have access in CC. Should we revoke access?

• Few limitations identified in case we want to leverage the saveit's oversight group

  • Oversight groups exist in Entra AD but Jira and Miro require individual licenses and don’t support group-based access.

  • Adding individual users from these groups to Jira or Miro is not practical, as group memberships are dynamic and users may only need temporary access. This could result in users retaining access longer than necessary, creating compliance and security issues.

  • Both tools require user invites and license consumption; no shared reviewer role or pooled licenses exist.

  • Unless these applications are integrated with Entra AD and support group-based permissions, the proposed solution of using oversight groups for read-only access across systems will not work as intended.