Has anyone implemented a security model where they grant access to all admin tasks except security? I told told this customer to just assign the users to Administrators and then have a report each month that shows that they're not adding users, etc.
I did the same thing at HC2. It wasn't too bad... I'd create a power user group and leverage the administrator group. Just restrict the system security roles to administrator and the application security roles to Power User. Basically the IT team was assigned to the admin group and the finance ""True system admin"" was assigned to the power user group. The finance admin could do everything but access the system tab.