Separate “view all applications” from “take action on all applications” at the role permission level so organizations can support executive oversight and committee visibility without granting global operational or bulk-action authority.

Current Behavior

Today, the role permission “Can Access and Take Action on All Applications” combines two distinct control concepts:

• Global visibility (view access)

• Operational authority (workflow and bulk actions)

Additionally, bulk actions are only available from the Applications tab. Because bulk action capability is bundled with global visibility, any user who needs bulk approval capability effectively gains unrestricted operational access across all workflows.

Role permissions currently supersede workflow-level governance design. Even when workflows are configured correctly (e.g., a dedicated CEO Approval level), users with this role permission can bulk act on applications in earlier workflow stages.

Control Impact

For organizations operating with governance thresholds (executive approval levels, committee review, separation of duties), this creates a significant control limitation.

In our case:

• We created a dedicated CEO Approval workflow level.

• We provided filtered views for safe navigation.

• However, bulk action authority still exposes all applications on the Applications tab

Because filter usage relies on human behavior, our CEO has inadvertently bulk-approved grants that were not yet intended for approval when filters were not applied. This creates a real governance risk despite correct workflow configuration.

Organizations are forced to choose between:

• Operational efficiency (bulk approval) with elevated control risk, or

• Strong governance alignment with reduced efficiency (individual record approvals).

Proposed Solution

Introduce separate role permissions such as:

1. can view all applications or can view applications only assigned to me (this would include anything we've set up as passthrough I would think)

2. can take action on all applications (ideally only for super admin, very controlled permission) or can take action on applications assigned to me (which would apply workflow level action availability parameters)

Bulk actions in the Applications tab should respect workflow-level action availability (unless the take action on all is given to a user). If a user does not have an actionable workflow step on a record, bulk actions should not be available for that record — even when global visibility exists.

This would allow workflow-level governance design to function as intended (since workflow-level permissions already control what actions exist at a level) while still enabling executive bulk approval where appropriate.

Business Value: Reduces risk of accidental bulk actions, aligns with audit and compliance expectations, enables scalable enterprise governance models (scalable is the whole reason for choosing your platform), and removes need for workaround processes outside the platform (again, the reason we chose your platform)

Happy to discuss this further if needed.