Add Admin Restriction
In my company I needed create admins with limit power. So we expand AccessControl to have restrictions. And we can add this to a admin.
It works with counter logic of permission. If a admin has the RestrictionRole to create group, he can't create a group.
I attached some images to ilustrate the idea. What do you think? Is It a good place to send you a Patch?