I believe we're in agreement and have similar understanding on the concept & need of permission separation between modules, and I know we're not alone.
While it may vary from company to company on who should be the primary Admins of Orion, under the current model where the "add-on" modules to NPM (SAM and NCM primarily) are becoming more-and-more integrated but the permissions granularity hasn't kept up, it's almost becoming increasingly necessary to consider running separate instances of Orion as a result. e.g. An instance of NPM & NCM for the "network folk" and/or "security folk", NPM & SAM for the "server folk", etc. - This of course is often cost prohibitive and more importantly, goes against having a unified view of the network holistically, with ease of "read" access to the various groups within IT while allowing the appropriate levels of management of applicable assets by those authorized groups without overstepping their individual span of control.
Fortunately for this particular matter, I have received word from Support that there are plans to rectify this admin requirement between NPM / NCM - While it may not be available for a bit, hopefully it will come to fruition and resolve the matter (look to NCM 7.3 & whatever the corresponding NPM version may be, sometime this year). Until then, it may be necessary to either elevate privileges to people in order to allow them to operate as before, or an existing Orion (NPM) Admin must take on that NCM work.
