How to hide Custom notifications and specific Delivery channels cards (Next Experience / Workspace)

Family / UI: YOKOHAMA (Next Experience)
Page: User Preferences → Notifications
Constraint: We are not allowed to modify UI Builder in this environment.

Business requirement

• Non-admin users must not see or access the Custom notifications section/tab (including the Create notification button). Only admins can use it.

• Additionally, on the Delivery channels tab we want to hide the cards for Next Experience and Workspace from non-admin users (admins can see and manage them).

What we tried

1. Destination-level restriction
   For both Next Experience and Workspace we configured Notification Destination Type as:

   • Deliver To = Roles

   • Destination Table = Role [sys_user_role]

   • Destination Id = admin
     This correctly limits who can use these channels in advanced preferences, but the cards still appear for non-admin users on the Delivery channels tab.

2. Verified the channel providers/plugins are installed and active (e.g., Notification Provider for Next Experience).
   Toggling provider/channel/destination did not remove the Custom notifications section, nor did it hide the Next Experience / Workspace cards for non-admins.

3. We know UI Builder visibility rules (e.g., userHasRole('admin')) or fully deactivating plugins would work, but we’re looking for an OOB configuration/permission approach first (no UI changes).

Questions

1. Is there any OOB property or configuration to hide the “Custom notifications” section/tab (and Create notification) from non-admin users without changing UI Builder?

2. For the Delivery channels tab, is there an OOB way to hide the Next Experience and Workspace cards by role?
   Or is destination-level restriction (card still visible but unusable) the intended behavior?

3. If UI hiding isn’t available OOB, what’s the recommended ACL hardening to effectively disable these features for end users?

   • For Custom notifications, which tables should be protected (read/create/update/delete) so non-admins can’t list or create anything?
     Our current understanding: notification definitions end up in sysevent_email_action (aka sys_notification), user subscriptions in sys_notif_subscription, and resolved messages in cmn_notif_message.
     Is there an official table list specifically for Custom notifications?

   • For Next Experience / Workspace channels, are there additional tables (e.g., channel/property/provider records) that should be ACL-restricted to prevent non-admins from using them even if the cards remain visible?

Any official docs or best-practice guidance would be greatly appreciated. Screenshots available if helpful. Thanks!