I have a client that is migrating from SharePoint on-premises to SharePoint 365. With the move, they will be implementing Nintex Workflows and Forms for Office 365. Their current model only gives employees a maximum of Design permissions in SharePoint, and they require at least two different people in this role for oversight. Before a site is created, a workflow runs that gets approval of the need for a new site. Before an employee can be allowed design permissions, they must attend some basic SharePoint training. Only people who attended training can be selected from a designated group to be listed on the form in the workflow and granted design permissions on sites. This is all automated through a workflow and provides a good balance of oversight.
Moving to SharePoint 365, they want to do away with this model. When they migrate to SharePoint 365 anyone will be able to create a site and will be given site owner permissions. There will be no requirement of training, and the need to have at least two people with admin permissions on the sites will not be enforced. They also do not plan to designate only certain people who have Nintex training or workflow expertise as publishers of workflows. In essence, you can have one person over a SharePoint site who can create and publish any workflow they want.
I am trying to encourage them to use Nintex to set up a request process for SharePoint sites that would require some approvals like they currently have since Nintex workflow can handle the entire process including site creation. I am also trying to get them to only allow certain people to publish workflows. This would then require the person who wants a workflow to at least review workflows with someone who has some expertise before it can be published. The reviewer can then also look for any issues in the workflow that could pose a security risk depending on the content to be stored on the site/list, since workflows have the ability to e-mail people outside the organization and include attachments with sensitive company information.
What are other organizations doing around governance? Do you believe in an open model where anyone should be able to create a SharePoint site with owner permissions, and also have the ability to create workflows without any "four-eyes oversight"? With any process you need to have some level of trust in your employees, but you do need some controls. Am I being too cautious or are they being too trusting?
Thanks for your feedback,