Blueprints are complex and entitling actions to run on provisioned blueprints can result in unexpected behavior. Use the following best practices when entitling service catalog users to run actions on their provisioned items.
When you entitle users to the Destroy Machine action, entitle them to Destroy Deployment. A provisioned blueprint is a deployment.
A deployment can contain a machine. If the service catalog user is entitled to run the Destroy Machine action and is not entitled to run the Destroy Deployment, when the user runs the Destroy Machine action on the last or only machine in a deployment, a message appears indicating that they do not have permission to run the action. Entitling both actions ensures that the deployment is removed from your environment. To manage governance on the Destroy Deployment action, you can create a pre approval policy and apply it to the action. This policy will allow the designated approver to validate the Destroy Deployment request before it runs.
When you entitle service catalog users to the Change Lease, Change Owner, Expire, Reconfigure and other actions that can apply to machines and to deployments, entitle them to both actions.