A regular admin has the ability to modify the role of a super admin account. This means that regular admins with the administration > people permission could hijack a JA instance from their super admins, or that an instance could end up with no super admins. This should be seen as a security gap.
Realistically, you would expect that a non-super admin would see the role dropdown as read-only when editing the account of a super admin.
- Log into a non-super admin user account that has permissions to edit people (users)
- Go to Administration > People and search for an account that is a known super user.
- Click on the roles dropdown and change the super admin role to anything else.
This dropdown would be read-only - or changes to this field should not be savable.
The super admin user's role is changed to whatever was selected, and their super admin permissions are lost.
No workaround possible, aside from making sure that any admins below SA do not have people level permissions.