I've got a user boschrexroth. This user does not belong to a user group. The rights are restricted to the datalayer. But indeed, the user has a lot of more rights. To example he has access inside the landing page to the EtherCAT app (delete the configuration or change the EtherCAT state) or he can stop/start/reset the PLC!
Here is my user configuration:
Will this topic be improved in further releases?
The datalayer permissions allow full access to the datalayer, without reglementations. These includes all nodes from ethercat, plc or scheduler. Since the functionality of these apps is realized using datalayer. It means you can change all settings, including deletion of master instances.
If you want to create a user accounts with restricted access to the datalayer, you can define restricted permission scopes, see: https://docs.automation.boschrexroth.com/doc/2276122339/einfuehrung-und-uebersicht/latest/de/?searchString=datalayer%2Fsecurity%2Fscopes
This allows you to limit the access to certain nodes in the datalayer.
Be aware that certain functions, e.g. configuring axes, not only requires permissions under motion/** but also on fieldbusses/** and others.