alt Hacker NewsI'm not saying there can't be an admin who can create roles, or do some extra authentication to gain that privilege. I am saying that it shouldn't require assuming an all powerful user to do it. You should be able to do it from your actual account. This is good for keeping accurate records too since all actions are done by the users themselves. Yes, technically sudo can be logged, but it's bypassable by starting a shell.
Elevated credentials for said users segment access while still allowing the same user to access more administrative function.
Proper group / sudoers mappings can go a long way, but you still want that administrative break between access levels.