Can we have the developers and QA have access ONLY to monitoring tab in designer for triaging purpose?
Can we have read only access to the entire designer env?
Discussion posts and replies are publicly visible
The answer right now, is sort of, but technically no.
Non-system administrators with membership in the Designers role (group) can see designer.
With adherence to security best practices, in an object's rolemap, an appian designer can configure almost all objects to be read-only to specific groups using the "viewers" entitlement.
My recommendation is to create an <APP> Read Only Users group per app. This group is added to Designers. All object's in the app should have viewer rights provided to <APP> Read Only Users . You can add users to this group as needed to give them review rights. end users also get viewer rights, but they shouldn't have designer access. assign your Administrator and Editor rights as needed, and then give "none" to everybody else. If done correctly No one but sys admins and members of these groups should see your objects, (with the exception if CDTs). This is easy to manage if you set the permissions on the folders and just have your other objects inherit those permissions.
CDT's (Data Type objects) do not have a rolemap - and so you cannot set any security on them.
Since this App read only User group is added to Designers , this groups users will be able to edit CDT and publish datastore right. Any other way to restrict the CDT to show as viewer access