Why is this an issue?
When the application "HR" is activated, the role "HR Admin" sn_hr_core.admin is automatically added to the instance. This role grants the user access to all roles inside the application, as well as the ability to read, create, and add/edit content types.
When the application is activated the role is added to the admin role as a contained role. This is an issue since the admin may not be permitted to read and write sensitive HR data.
Best practices
To prevent the System Administrator from reading sensitive HR information, remove the HR Admin role from the System Administrator role.
With admin access follow these procedures to remove HR-related roles from the admin role:
In the Filter Navigator, search for User Administration > Roles
Search for admin and security-admin
From the Contains Roles tab, click Edit
From the Contains Roles List column, highlight and move sn_hr_core.admin to the Collection column and Save
Log out and log back in to ensure that the changes take effect.