Expanding on earlier idea would be good to have the following:
In Role Permissions:
Build on to Desktop Remote Management and Server Remote Management but have a new item:
Server Remote Access - Toggle remote access on or off for Servers.

This way we can have a tech monitoring servers and running scripts we have made but make the tech assigned to role unable to remote into servers (Think L1 or L2 tech).
Speaking of scripts, before "Manage Scripts" have a toggle to:
"View Scripts" - on and off so that we can assign L1 or L2 tech the ability to run a script which may include a domain admin credential for example without them seeing the domain admin credential.

One other thing is to be able to toggle access to command prompt and powershell. We want to be able to give techs ability to run scripts on machines but not input commands in either shell - I think this is a more secure approach to MSP.

We are trying to set up so a L1 tech can have access to a bunch of scripts that fix 90% of everything along with KB access to know what script to run in what situation. BUT we don't want to give them high level access permissions to either mess things up or have to change when they leave.
L1 will only access PCs, L2 will access PCs and have ability to run scripts on servers (add / remove AD users etc) L3 and above will be able to do pretty much anything.