Gnosis Safe + Roles

I noticed on the Gnosis Safe Enterprise page that they mention a number of features that are beyond the default capabilities of the Gnosis Safe base contract. For example "Roles: define user hierarchies for role-based access control"

My googling seems to lead back to OpenZepplin Defender being used to create and manage a proxy for the Gnosis Safe contract. There are a few guides using Gnosis Multisig as an admin in Defender (example).

However, what I want is something slightly different and I am not sure what combination of Gnosis Safe modules, and safe apps and OpenZepplin products can be used to create what I need. My team wants to hold funds in a secure manner with our leadership having the multi-sig admin accounts, but also be able to delegate repetitive tasks to less secure signers (e.g. have a non-leadership employee go on SuperRare and do the data entry to mint and sign each of our NFTs)

  • An upgradable and pausible Gnosis Safe contract
  • A "superuser" or "admin" role which can:
    • Have N total signers with this permission level
    • Sign (n-1)/N threshold proposals for important things (transfer unbounded funds, upgrade contract, add/remove signers, pause the contract)
  • A "default" role which can:
    • Have any number of users with this permission level
    • Unilaterally Mint ERC-721 tokens
    • Has a time-limited allowance of gas coverage provided for them, allowing them to work but not drain the wallet adversarially with gas fees.

Any advice? Useful reads? Thank you.

A summary of your Gnosis project could be broken down into the following.

#Tier based signers
##User

  • Have any number of users with this permission level
  • Unilaterally Mint ERC-721 tokens
  • Has a time-limited allowance of gas coverage provided for them, allowing them to work but not drain the wallet adversarially with gas fees.

##Admin

  • All capabilities of User
  • Have N total signers with this permission level
  • Sign (n-1)/N threshold proposals for important things (transfer unbounded funds, upgrade contract, add/remove signers, pause the contract)

This is a good read on the topic if you haven't seen it already: Manage an ERC20 token using Defender Admin and Gnosis Safe

One method to achieve this result is with two separate contracts that refer to a master contract with different user permissions for each one.