Thanks, I'm trying that. I already set the Write/Delete access controls of Rule-Access-Role-Obj to 0 in the clone of the SysAdm4 access role. However in another access role that the operator has, the Write/Delete access controls of Rule-Access-Role-Obj is set to pzModifiedAllowed or 5. Is there a way to make the ARO in SysAdm4 take precedence? Or do I really have to modify the other access role as well (ie. set Write/Delete to 0).
Update: I modified the access controls for Rule-Access-Role-Obj in the other Access Role and already set it to 0, yet the user is still able to modify access roles. Am I missing something?
As you have mentioned there are multiple ARO's , then yes the behaviour is correct. It doesn't really matter if you just clone one.
Not sure if there is a way to make one role take precedence.
One question here is , how do the end users update the Operator ID ? Have you created a customized UI or any other thing? May be we can see if there is any other way to achieve this which is less cumbersome than updating all the ARO's.