User without delete privileges can remove datastore and groups from Lab Manager (2002254)
A user with a custom role can delete datastores and groups even if the Datastore: Delete and Group: Delete privileges are not set on the custom role.
The Organization: Edit Resource and Organization: Edit Membership privileges are required to remove datastores and groups from non-global organizations. The Datastore: Delete and Group: Delete privileges are required to remove datastores and groups from global organizations.
To ensure that a user cannot delete datastores and groups, you must not be set the following privileges on the custom role assigned to the user:
- Organization: Edit Membership
- Organization: Edit Resource