Access rights are a fundamental part of how Odoo functions, ensuring users have the appropriate permissions. However, I've encountered an unusual scenario regarding administrative access to "Access Rights."

When a user is granted administrative rights to manage "Access Rights," they also gain the ability to modify their own access to settings, effectively granting themselves full control over the Settings application. This, in turn, makes the intended restriction on "Access Rights" ineffective, as they can override it.

Is this expected behavior, or am I misconfiguring something? How can I maintain control over access rights while still allowing some administrative capabilities?