Devolutions ForumDevolutions Forum

Allow Create/Edit Entries Without Delete Permission in Devolutions Hub Business

Allow Create/Edit Entries Without Delete Permission in Devolutions Hub Business

1 vote

avatar
edsoncaetano

Hello Devolutions Team and Community,

I would like to submit a feature request related to permission granularity in Devolutions Hub Business, specifically regarding segregation of duties for credential management.

Use case
In our environment, we need a group of users who are allowed to:

  • Create entries
  • Edit existing entries
  • View passwords and sensitive data
  • Manage attachments and documentation
  • Edit VPN / Tunnel / Gateway configurations


However, these users must not be able to delete entries.

This is a very common requirement for environments with:

  • Segregation of duties
  • Audit and compliance controls
  • Change management policies
  • Credential lifecycle governance


Current behavior
We understand and confirm that:

  • Entries inherit permissions from the vault (and optionally folder/entry overrides), regardless of who created the entry.
  • Vault-level custom permissions allow granular control.

However:

  • There is currently no built-in role in Hub Business that allows Add + Edit while fully preventing Delete in a clear and enforceable way.
  • The closest role, Privileged Operators, grants delete permissions, which is not acceptable for this scenario.
  • Relying on complex inheritance combinations makes the permission model harder to audit and reason about.


Feature request
Introduce a dedicated role or explicit permission model that allows:

  • Create and edit entries
  • Full read access to credentials and sensitive fields
  • Explicit and guaranteed prevention of entry deletion

This could be implemented as:

  • A new built-in role, or
  • A more explicit separation between Edit and Delete actions with strict enforcement


Business value
This enhancement would:

  • Improve security posture
  • Simplify permission audits
  • Support compliance frameworks (ISO 27001, SOC 2, etc.)
  • Reduce the risk of accidental or unauthorized deletions


Thank you for considering this request. I believe this feature would benefit many organizations using Devolutions Hub Business in regulated or enterprise environments.

Best regards,

Edson Eduardo Caetano Junior
NOC, IT & Infrastructure Projects Manager

All Comments (2)

avatar
Dominic Dansereau

Good Morning,

To confirm, have you tried to address this with custom roles? This should allow you to have a bit more granularity on the different permissions, and from what I've seen, it seems to meet the requirements of your request. The slightly negative aspect of this solution is the need for you to redo this configuration each time.


Knowing this, does this solution seem acceptable to you? If not, in your context, do you have an idea for a name for this new role?

Regards

4ca5c5bf-9361-4434-b651-5e67839fd9cb.png

avatar
edsoncaetano
Good Morning,

To confirm, have you tried to address this with custom roles? This should allow you to have a bit more granularity on the different permissions, and from what I've seen, it seems to meet the requirements of your request. The slightly negative aspect of this solution is the need for you to redo this configuration each time.

4ca5c5bf-9361-4434-b651-5e67839fd9cb
Knowing this, does this solution seem acceptable to you? If not, in your context, do you have an idea for a name for this new role?

Regards


Hello @Dominic Dansereau ,

Thank you for the suggestion.

I tested the custom roles approach, and it worked exactly as expected.

I really appreciate your help and guidance.

Best regards,

Edson