When portal came out I was very excited because for years had to deal with the Arcgis Server security where you could assign permissions to folders or services. Unfortunately this only applied to users. If you were a publisher or admin all security went out the window.
Here is my suggestion: Now that we have Federated Arcgis Servers that use Portal security I think the servers security model should actually mimic portal security instead of the following:
“If a custom role is created with any administrative privileges, ArcGIS Server will grant members within that role full administrative access. This includes rights to publish any service type directly to ArcGIS Server and the ability to view and access all services. Consider the security risks before creating a custom role for any member that includes administrative privileges.”
This limits the assignment of any Admin rights, even minor ones, in our environment where there is sensitive data. Those added checkboxes in custom roles just sit there and taunt me.