I'm struggeling with the Moodle capability system and some arrangements I don't understand.
If I (Admin) prohibit an action for a editing teacher (i.e. "moodle/course:viewparticipants") he can still assign this capability to a non-editing teacher and therefore give permission for an action to a sub role. Then it would be also possible, that he assigns himself to that sub-role and unassigns his current role - which gives treachers access to all actions, which are only "not set", "allowed" or "prevented" for all sub-roles.
The only way to prohibit an action entirly is to prohibit it for the role and all sub-roles... which is annoying.
Why is it implemented that way? Is it a feature or a bug?