Hi Beth,
In general, access to objects can be restricted to either read or write capabilities by virtues of user permissions mapped via ObjectPermissions object. We haven't implement that feature in our application for reasons of our own.
We just give access to specific workspaces under the Administrator to only authorized "Admins" of that workspace.
e.g. only a few "Admins" would be given access to the User Manager workspace. Hence, only they are allowed to edit/create Groups, Roles and Permissions.
We use the query/report route to provide the list of privileges and their users, to other Business users.
For the report, do you want to include the default permissions, if any, (assigned to all users in your application)?
If there are such permissions, roles or groups, I would suggest to remove them from the query/report, to make the report smaller and yet eliminate obvious/default data.
- Shashikanta