Since the default mode for Access Control when created is to allow
all rights to all users for back-compatibility, it is recommended that
perms be "locked down" first, and only granted as needed. The
admin user, having the irrevocable ability to reset ACLs, should
remain a "superuser" with all access, and other accounts turned into
lesser-permission users. Lockdown should happen in this order:
Allow superuser: The admin user should have
an Allow entry for all rights to the top-level Global
object.
Deny everyone: The group Everyone should have a
Deny entry for all rights to the top-level Global object.
With these perms, users other than admin - including
new users and profiles created in the future - will not be able to
see or modify administrative settings. They can be granted perms as
needed later, for example, the Read right could be removed from the
Global deny ACE so that they can read but not modify any admin
action/setting.