Overview
There is a tenant member with “Viewer - Users” and “Viewer - Config Settings” roles. With this permission, it can create a new tenant and update the settings under Tenant Settings > Advanced > Migration.
Solution
As per the current design, tenant members with any of the viewer role, editor role, or admin role have access to create a tenant. Please feel free to create a feedback item here if is desired for the viewer roles not to have access to create a tenant.
For the “Allows use of custom extensions” option, it seems it can be switched off from the enabled options under Migration , but the following error message will be received, which prevents the possibility of creating any changes:
Error! Something happened while trying to save your settings: Insufficient scope, expected any of: update:tenant_settings.
For details about this error, please consult Receive the Insufficient Scope Error When Updating Tenant Settings.