We ran into some issue where the behavior of the user permissions differed significantly from what we expected and want to clarify if its intended behavior or a misconfiguration or bug on our side.

First, It looks like users ordinary/non-admin users are able to create organizations at will. Is this intended functionality and if it is, is there a way to stop it?

Second, When we add a user to an organization are they supposed to be able to see all the shared workspaces in it? 

Because right now when we add users to orgs they don't see any workspaces they aren't explicitly added to.