Find a way to prevent ACL changes even with Full Access Admin invoked.

My guess for why scenario is something like:

If you are an admin/editor of the directory with the server modify role, you can edit the server doc and add yourself to full access. This is how we get that wonderful "sudo" root type access I love for those frustrating moments.

I have been at businesses who for very knowlegable regulatory auditors who don't know technology, but can spin the English language, have forced the admins to add the SECURE_DISABLE_FULLADMIN=1  notes.ini to block this wonderful feature.  When the Domino environment logs that I have sudo, it seems to me, we have the needed legal discovery and audit history. However, auditors and lawyers know what's most efficient for the human race. <sarc> Besides, why fix an ACL the 15 second way, when you can spend massive amount effort and time to take it off site, to a "secure recovery firm" to put it on their Domino server for 15 seconds,  use this "sudo" feature, add the entry,  and send it back to you --- saving you from that terrible mistake for a very reasonable $5,000.00 fee. Or, they can pretend they cannot do that, and instead export the data to flat-files for much more, and let you think they saved you for less than $50,000.

INI from the Domino documentation:

You can disable the Full Access Administrators field by setting SECURE_DISABLE_FULLADMIN = 1 in the NOTES.INI file. This setting disables full access adminstrator privilege and overrides any names listed in that field in the Server document. This NOTES.INI parameter can only be set by a user with physical access to the server who can edit the ...

What type of problem are you trying to solve?

And/or provide a better logging of the use of Full Access Admin and which changes were made to the ACL. 

And improve the tools for setting up alarms for ACL changes.

Or: just use the existing restriction to WHO is able to use full access administration ;-)