...
Forms/Flows owned by designer that who can grant authorization administer access. Only the designer/owner may modify the form/flow design.
Flow administration may be granted to any other user/role to give full access to audit trail and ability to modify/abort running instances.
Access to a flow instance’s audit trail may be granted to all participants or a to a custom set of users/roles.
Other users may be granted the publisher role allowing them to administer form/flow access and deploy to production.
Only the designer/owner or publisher may deploy the form/flow to production. Best practice is to have a deployer account on production system that owns the form/flowhas the publisher role.
End User/Run Time
The designer/owner of a form/flow may designate who may use the form/flow with options for:
public access (anyone including anonymous users)
private access (the designer/owner only)
public in tenant (authentication users logged into tenant only)
Custom set of users or roles only.
The designer/owner of a form/flow may designate separately who may view individual submissions or may edit individual submissions. Either of these access lists may contain specific sets of individual users or roles. Additionally, specific access to individual submissions can be dynamically determined from the form/flow content at the time of submission in order to provide very granular access to specific submissions to specific users/roles.
...