Permissions strategy for Team workspace and Forks

Hi all

How much access do Team users require in order to have both read-only access to the “main” collection, but also enough permissions to create their own fork within the same workspace if they need to submit changes?

In a nutshell, I’m currently looking to get a Team workspace (Professional lic) setup as follows:

  • A “main” collection, which should be forked by team members (not be edited directly), instead, all contributions be Pull Requested into.
    (ideally, with all but Admins being able to ever delete it, for fear of accidental deletion)
  • Team members to have only “Viewer” access to the “main” collection, who can either use the collection directly in read-only mode (if no changes required)
    Have the ability to fork the collection into their own copy (also stored within the same Workspace, presumably, so that Editors have secure visibility while doing approval), if they need to make any changes to the “main” collection.
  • Two “Editor”(?) users that will review and approve any Pull Requests from forked collections. They should also follow the same process (though I believe Postman currently doesn’t have a way to enforce this, as Editors need ability to make changes as part of reviewing PR’s)
  • One to two admins to manage the Team, where necessary, but more at an account level.

…and I’m looking for guidance as to what Roles (Workspace, Collection, etc.) we should use in order to achieve the above (particularly around the standard contributing users, per the opening question).

A response in this thread suggests that People with “Viewer” workspace role
should be able to Fork a collection into the same Team workspace. However, I thought “Viewers” didn’t have the ability to create a collection (unless “forking” is treated differently to creating)

Thanks in advance for any guidance.

Rightly or wrongly - I’m assuming this should be a standard flow
(e.g. like in source code - you don’t allow direct push to branch, have managed by peer-reviewed Pull Requests).

But I don’t seem to see any official Postman docs on how a Team should be setup for this.
…and the lack of any response here (at least so far) makes me wonder, am I under the wrong impression?