Permissions issues/questions in role management

About the permission of a role for a user:
As far as my understanding goes- only having the 3rd as ON should allow the user with that role to delete a profile.
However, I tried different combinations of all 3 options and I can’t get to a situation where a user in this role can associate a profile with a device/group but cannot delete a profile.
What am I missing?

manage.profiles Manage profiles and alerts (read only) ON OFF
manage.profiles.association Association profiles with devices. Parent permissions are "manage.profiles", "inventory.devices", "inventory.users", "inventory.devices.actions" ON OFF
manage.profiles.manage Manage profiles and alerts (full control). Parent permissions are "manage.profiles" and "inventory.devices"

Hello @InfoSecAdmin,

Users, or more appropriately called end-users, are the customers of your Clients/Companies. These end-users are not allowed to delete profiles.

You can learn more about Role Based Access Control for Users here:

Staff, on the other hand, are the people directly working for you. These are the people, if given permission, that have access to end-users and devices. They can add/remove devices, modify users and create/delete profiles.

You can learn more about staff/administration management here:

You can also learn more about their roles and capabilities here:

Thank you