Proposal: Splitting up delete contacts permission / new permission "CiviCRM soft delete contacts"?
Overview
Currently CiviCRM already has a distinction between soft deletion and permanent deletion of contacts: With the permission CiviCRM: delete contacts you're able to put a contact into the trash bin. Users with the additional permission CiviCRM: access deleted contacts can then permanently delete these contacts. In many usecases this is fine – e.g. when you might just want to prevent temporary volunteer workers from accidently deleting contacts permanentely. However there are very common use cases where an explicit distinction between a soft and a hard delete permission would be needed:
Example use-case 1: Allow restoring but not (hard) deleting contacts
Your're glad your temporary volunteers help taking care of your contacts. And you feel safe allowing them (soft) deletion, too, as you're happy with the fact that only a few of your colleagues have the permission to delete these contacts permanently. What you would also like, however, is for them to be able to view and restore the deleted contacts to fix mistakes.
Current behaviour
When you allow users to soft delete contacts and to view the bin to restore contacts, this combination also allows permanently deleting contacts.
Proposed behaviour
In combination with a new permission CiviCRM: soft delete contacts the permission CiviCRM: access deleted contacts would allow this use case. It seems like there had been a workaround for that around the permission CiviCRM: edit all contacts View, Edit and Delete ANY CONTACT in the CiviCRM database which is not working anymore (see this discussion on StackExchange).
Example use-case 2: Allow deduplication but not (hard) deleting contacts
You deal a lot with event submissions and imports, so deduplication is very important for you. That is why you want your team to be able to deduplicate and also to fix mistakes by looking in the trash. But you don't want everybody to delete contacts in trash.
Current behaviour
Same like in use-case 1 except that even the broken workaround mentioned there would not work here as CiviCRM: merge duplicate contacts requires the delete contacts permission.
Proposed behaviour
In combination with a new permission CiviCRM: soft delete contacts the permissions CiviCRM: merge duplicate contacts plus CiviCRM: access deleted contacts would allow this use case.
Comment
Since this would mean touching a basic thing and might have some unexpected consequences in practice or in code (I'm not a developer) a broader discussion would be great :-)