QEM currently has 4 roles available: viewer, operator, designer, and admin. Our team administers the QEM/QR environment, and data stewards create tasks for data movement needs. At times, a user may need to utilize certain functionality, but the roles provide currently provide an "all or nothing" level of permissions based on the component (server, endpoints, analytics, etc). Having some more granular permissions would help us to better provide least priv. permissions to end users, and better allow self-service.
To modify an endpoint, or view internal parameters, you need designer access. This unfortunately allows you to create/delete/modify all endpoints for that QR instance. Having the ability to set permissions like "you can modify passwords and internal parameters, but you cannot make new endpoints or update other fields" would greatly assist from a security perspective.
You need designer access to create and manage notifications, but this gives you the ability mess with every notification for the environment. We have a shared QEM instance, where multiple business areas need to create their own notifications. Being able to limit actions by a naming convention or other contraint would reduce impacts to other business areas due to a malicious user or accident