The base system 'admin' role is very unique and should be considered as the all-inclusive user role since it passes all user role requirements. Essentially the 'admin' role contains almost all other roles, besides "security_admin" and "maint". If an ACL requires a specific role, the admin user will pass that ACL regardless if the Admin Overrides checkbox is not selected. Additionally, if there are any other scripts that require a role, the 'admin' role will always pass access.
From our product documentation you can see the following information in the role description-
"The administrator role. This role has special access to all system features, functions, and data because administrators can override ACL rules and pass all role checks. Consider these implications when using admin overrides on ACLs."
If there is important data (such as HR information) that should not be modified or seen by the 'admin' role, there are additional steps that need to be taken to prevent admin users from having too much access.
On an ACL, if the role requirement is removed, and the Admin Overrides checkbox is unchecked, a scripted role check to ensure users do not have the admin role, will keep the admin user from having too much access.
Here is an example of a simple script to add to an ACL:
if(gs.hasRole('hr_admin') && !gs.hasRole('admin'))
answer = true;
answer = false;