Admin: Project update permission



I’m trying to solve a permission problem.
Basically I want to make sure that a user can’t deploy a new version of a process definition or delete a deployment with this process definition unless he has permissions to that process definition.
What I tried:
Granted access to a specific user to one specific Process Definition “Process A”.
Granted access ALL to ALL Deployments.
In Cockpit that user can only see this one Process Definition. That is correct.
But in deployments he can still delete a deployment with process definition which he should not have access to.

I can see that Process Instance permissions allow CREATE/UPDATE/DELETE so I was expecting that unless a user has these permissions on a process definition, he won’t be able to create/delete deployment for this process.
Unfortunately I can’t use multi tenancy since it does not work with LDAP.

Thanks for any help.