The three levels of permissions for Balena make it really difficult to give access to users. Following the principles of least privilege is impossible. I feel this is especially frustrating because of the high cost per user account.
At the very least destructive actions should be able to be disabled at every role outside Admin.
Allowing for the customer to define their own permissions would be great. We have people we would like to have a limited monitor/viewer access to certain areas of Balena.
I second this, the fact that Operators can bulk delete devices is insane. There is clearly a gap where we need role that can SSH and do some config changes support related, but won’t be able to get the device into an unrecoverable state. Of course anyone with SSH access can likely kill the device such that it will be unrecoverable, but maybe this access can be limited to the app container and not to the Host OS. that would limit the damage radius