Desire finer grained destroy permissions
Currently, to allow a user to destroy snapshots, they have to be allowed to destroy the parent dataset. This might be too much rope.
The use case is backup and replication systems. I want that backup system to be able to create and manage snapshots, but see no reason for it to be able to destroy the origin dataset - either by mistake or compromise.