Reorganization of Tenant Admin and Workspace Admin Roles, Responsibilities, and Functionality

Hi Community, 

I wanted to share a scenario that may be a common issue for perhaps 1 too many customers. 

Let's say in your situation, you had 1 workspace administrator as the sole administrator in a given workspace. When they left the company, no one else had access to the data and that workspace.

We can understand why this can be a frustrating issue and why it highlights an area of opportunity for our Workspace administration.

My idea is to create 1 additional role which is the Tenant Admin role at the "Workspace Administration" level, so that there would be a total of 3 roles that you can be assigned: User, Workspace Admin, and a new Tenant Admin role.

-In this way the Tenant Administrator would be a permanent member in every workspace, under their tenant, and has the same powers as a Workspace Admin, except they cannot be removed from a workspace. *This would be contingent upon or synced over from confirming the Tenant Admin role has been assigned for that particular user.

Related to this is the responsibility of user deletion and disablement. If the above idea at the Workspace level is implemented, the Tenant Admin should be able to delete or disable users from their Tenant in all workspaces that belong to the tenant.

-Workspace Admins should only be able to delete users from their workspace(s). This would split up the responsibility in a distinct and clearly defined way.

-Additionally, a field such as "disabled by" could give the Tenant Admin visibility into who disabled a particular user.

-A field such as "modified by" could give Tenant Admin visibility into who adjusted a user's Role.

Lastly, there could be an element added as a layer of protection to prevent workspace administrators to be given "No Access" to a model in their workspace.

-This would force administrators to make a clear cut decision as to a role assigned to a particular individual- they either are a workspace administrator with "Full Access" in all models in the workspace or an end user with selective access, "No Access" or "Full Access" in the specific models. 

Thank you for your time and reading this idea.