Thanks for getting in touch! It's definitely possible to configure this permissions structure. Permissions within Octopus are very granular and gives you great control over what users are able to see and do within specific environments and projects.
You can define specific permissions to custom user roles, which you then assign to teams. You can then scope these teams to individual environments. I'd recommend checking out our documentation page which outlines how you can configure separate teams with mixed environment privileges. https://octopus.com/docs/administration/managing-users-and-teams/cr...
If desired, you can then take it a step further and allow developers to see all variables (including those scoped to TEST and PROD), but only edit DEV scoped variables.
I hope this helps! Let me know how you go, and if you have any further questions, feel free to reach out. :)