Why is this an issue?
When the plugin "Human Resources Scoped App: Lifecycle Events" is activated, the role "LE Admin" sn_hr_le.admin is automatically added to the instance. This role grants the user access to all LE Admin information and privileges, as well as the ability to read, create, and add/edit content types.
When the plugin is activated the role is added to the admin role as a contained role. This is an issue since the admin may not be permitted to read and write sensitive HR data.
Best practices
To prevent the System Administrator from reading sensitive HR information, remove the LE Admin role from the System Administrator role.
With admin access follow these procedures to remove HR-related roles from the admin role:
In the Filter Navigator, search for User Administration > Roles
Search for admin and security-admin
From the Contains Roles tab, click Edit
From the Contains Roles List column, highlight and move sn_hr_le.admin to the Collection column and Save
Log out and log back in to ensure that the changes take effect.