Baremetal needs the ability for users with the account level 'upgrade account' permission to be able to delete a device. They also need to be able to post (not to a specific device), but I believe that's already supported. We should hide this ability behind a configuration flag, because we haven't heard from any other teams that they need this additional permission.
- There should be a config option to turn on "upgrade_account" permission consideration.
- Verify with John Wood on the exact wording of the permission.
- When this feature is enabled in config:
- If the user has the "upgrade_account" permission, the user is allowed to DELETE (iff a deviceID is specified).
- We should continue looking for any permissions that would allow the user to perform the desired action (i.e. users might have multiple permissions for the same device, some that allow the action and some that don't; in those cases, they should be allowed to perform the action).