Why is this an issue?
When the plugin "Employee Service Center" is activated, the role "Employee Management Admin" sn_hr_ef.admin is automatically added to the instance. This role grants the user access to all Employee Management Admin information and privileges, as well as the ability to read, create, and add/edit content types.
When the plugin is activated the role is added to the admin role as a contained role. This is an issue since the admin may not be permitted to read and write sensitive HR data.
Best practices
To prevent the System Administrator from reading sensitive HR information, remove the Employee Document Management Administrator role from the System Administrator admin role.
With admin access follow these procedures to remove HR-related roles from the admin role:
In the Filter Navigator, search for User Administration > Roles
Search for admin and security-admin
From the Contains Roles tab, click Edit
From the Contains Roles List column, highlight and move sn_hr_ef.admin to the Collection column and Save
Log out and log back in to ensure that the changes take effect.