We have been conducting security reviews of user roles in Canvas and want to redesign the roles to allow the minimum access necessary for individuals to still be able to complete their work.

We have repeatedly struck an issue with the "Account-level settings - manage" permission, where many roles need access to the subaccounts. Some needing read only access and others manage access. But this course grained permission also enables some of the most critical features in Canvas: Authentication, Theme Editor, Account Settings and Terms. 

In order to give sub-account access and withhold access to the other features we are proposing a Javascript Theme filter that hides and inactivates the more powerful screen controls. This workaround is a last resort for us and will only keep users from making mistakes in the UI. It can still be bypassed by a malicious party and must also be maintained over time to avoid accidental exposure. 

We need Canvas to implement more granular permissions for "Account-level settings - manage" to break it down for safer delegation. At a minimum, we would like sub-account access to be removed from this role. Does Canvas have any plans to do this?