Begin of the insertionAdministrators will always have the complete admin privileges. This comes in handy most of the time but makes it hard for them to work withEnd of the insertion Begin of the deletion ### **Environment:**

End of the deletion OpenProject Begin of the insertionwhen performing the actions of a normal project member, e.g.: End of the insertion Begin of the deletion Version: CloudEnd of the deletion

Begin of the deletion Chrome on Windows 10

### **Logs**

Not applicable

### **Steps to reproduce:**

End of the deletion 1. In a project, add two (or more) member roles
2. Role A has workflow X
3. Role B has workflow Y
4. Workflow Y is a subset of workflow X, with less available statuses
5. Administrator account has role B

Begin of the deletion ### **Actual Behavior**

End of the deletion Administrator account can manage all statuses available to Role A + Role B

Resulting issues:

* Administrator accounts cannot easily test roles to ensure workflows are set correctly
* Project admins cannot successfully assign specific workflows to Administrator accounts
* Several other role conflicts: Administrator accounts can modify all project permissions, not just the permissions of the assigned project role
* App usability can be confusing for team members that are both Administrators (with always-on admin privileges) and project participants

### Begin of the insertion**Proposed solution**End of the insertion Begin of the deletion **Expected Behavior**End of the deletion

Administrator account can only manage statuses set for the assigned project role

Administrators are able to toggle between managing an OpenProject instance (all admin privileges active) and working on projects (only role specific privileges active)