The unrestricted rights of administrators

I would like to talk about the very extensive authorizations of the Enterprise and Domain Admins. Although I also have a corresponding product idea/feature request in mind for the problem described below, I am first of all interested in whether other users face similar challenges and how they deal with them.

At our customer, the problem is becoming more and more apparent that an (Enterprise or Domain) Admin implicitly always possesses all roles and therefore also has unrestricted access to all reporting data and reporting artifacts!

In other words, the segregation of duties (SoD) required in most security concepts is currently not possible in Pyramid in my opinion. Or am I missing an aspect here? How do you deal with this?

We can use the Pyramid roles to grant non-admin users very granular authorizations for the content they need and are allowed to access. However, as soon as an employee has to perform even one administrative task, they are also given access to all data secured via the roles by implicitly assigning all roles.

As far as I know, you can take away functional administration areas from domain administrators, such as access to logs or user administration, but not access to certain modules - and, as I said, not the possession of certain roles.

I would be very happy about a lively discussion.

THANKS & regards,
Michael