Hey Folks!

a customer of mine wants to implement restrictions via permission profiles and while this is mostly working as expected so far, today we came upon something we do not understand yet:

We tried to create a profile for certain admins, so that they can only edit objects and install the policy...nothing more (so not even viewing any policies). They have a lot of time-objects with which they control access from 3rd parties and these have to be changed very frequently throughout the day. This is mostly working, but it seems there is one additional thing that can still be accessed and changed, no matter what settings in the profile we choose: The inspection settings.

Is this something that is always allowed, no matter the permissions?
We have unchecked all permissions and those that could not be unchecked (like "settings" in Threat Prevention, which I suspect is also for inspection settings), we set to "Read". Only the access Control Objects are enabled and set to "Write". Yet, it is still possible to change the settings there, which we do not want to allow.
I could not find anything regarding this, but surely we would not be the only ones to stumble upon this, right?

As always, happy for any hints regarding this!