To enforce the privacy of the system users towards system administrators in daily usage the option was added to restrict the permissions that admins receive to permissions on folders only, not the messages in the folders.

Normally, admin users are granted all permissions on all stores in the server or for stores in the tenant’s company (in multi-tenant mode). Enabling this option restricts permissions to folder operations: Folder viewing, folder creation and importantly, folder permissions. This means that an administrator can grant himself full permissions on a folder. However, in combination with auditing, it provides an extra level of security protection against unwanted access.

Note that some applications may require full access to all stores, which would be restricted by this option. Also, this option cannot be reset by sending a HUP signal, so a full server restart is required to change the setting.

restrict_admin_permissions = no