I think many of our customers (especially our larger migration customers) will not like the idea of all their users being able to generate reports - even if we have added other data restriction criteria. Nor, for the same reason use PowerBI or other things.
Previously in 365 we had added a role for "Report Writer" - which you can already set in the admin portal.
I Think we should use this role (or new/expanded roles, but i think this is fine) to restrict both:
- Generation of PAT tokens, and
- Creation of Reports in CRM
I realise it is a but of a mute distinction, but i would still allow users to open an existing report and change fields/filters. This might become an issue that we can come back and address later but dont worry for now.
Final comment - if the user tries to create a report, or navigates to the PAT page, they should get a nice message. One day we might have a "request access" but of functionality, but without doing anything too clever, i know that we already have a way to show you a list of your colleagues with Admin rights. I cannot remember exactly how this works, but i think it takes you to this page: https://my.prospect365.com/Colleagues.aspx with some criteria added? I think you get this link if you try to access some of the old portal pages without roles for CMS, CRM, etc. We could just re-use that feature for now - ie. either on this page or a similar page/popup window offer the user a link to their admins from whom they can request the role (by email, phone, in person - however they like).