Rudder

If you hand configuration permissions to a rudder user, they are be allowed to view, modify and debug the configuration that makes up rudder's end system policy.
Unfortunately it seems if they have access to NCF they are able to modify contents of the techniques in there.
The problem is that those changes take effect directly, and bypass the CR system.

This shouldn't be too hard to solve just modifying the type of input boxes and disabling visually the save + reset buttons.

Until then, it needs to be documented, along with advice on how to set up (or, rather, which permissions to not hand out) NCF.
NCF is no longer a beta component as far as I am aware and shouldn't just ignore rudder.

My suggestion is to properly introduce versioning on NCF techniques.

That way modification of an rule-contained NCF technique could be allowed but not have any effect on the live policy, forcing to switch it's version from within the Rudder side of things.
That would then need to pass through the CR process.

Not that I like it too much, but it would actually allow to create and prepare the objects in NCF and not get in the way until they are really affecting systems.

In any case, a warning needs to move in place.