Customer wanted to create a new System Admin group, to enable administrators without all privileges. To accomplish this, they did the following:
1. Copied the "System Admin" Credential Manager Role.
2. Removed the "View Account Password" privilege and named this role as "System Admin - No Password".
3. Copied the "System Admin Group" in the Credential Group and named this as "System Administrator Group - No Password".
4. Associated the "System Admin - No Password" role to this group.
5. Removed the user "super" and added the proper users.
When they saved this, the Credential Group got associated the "super" user again and there was no way to do an update on this custom group or to delete it.
Answer:
The native "System Admin Group" is read-only by default. When you copy it, it will allow you to change its members (since you are creating a new object) but, once you save it, it becomes read-only by inheritance. That said, you will not be able to change or delete it.
It is not a consistency issue - it is just that the new object inherited all attributes from its source, including the read-only flag.
It is possible to change it to read-write, but it involves enabling the SSH access to the appliance and manually changing the product DB. This is an invasive procedure and it is also risky.
If you find yourself on this situation and want to change this via SSH/manual DB change, please open a ticket in CA Support as we will need to set up a WebEx session to do the SSH access and change the records in the DB.
To my friends from CA Support:
The complete set of DB commands can be found under ticket 00920918.