Can I give a user the permissions of a system administrator, but prevent them from deploying to production and from giving themselves or someone else access to deploy to production?
I can create a Team with the System Administrator role and limit it to non-production environments, and at first that seems to be sufficient. Members of that team can’t deploy to production, and they can’t grant another team access to production explicitly. They can, however, remove all environments from a team (including their own) which gives that team access to all environments, including production. Is that by design, or is that an oversight?
In our environment, developers are not allowed to deploy to production due to regulatory audit restrictions. But we would like a lead developer on each of our teams to manage the users for their own projects and to have access to the diagnostics, audits, certificates, and other features relevant to their projects that only a System Administrator can access. Is there another way to accomplish this?