Many sites are installed with the Standard install profile, creating a default Administrator role that user 1 is assigned to. As well, it's possible to set `is_admin` on any role with a config import.
What is confusing is when a site disables the Super User Access Policy, but the admin user still has admin access. This is because you need to additionally remove any administrator roles.
default.settings.php details this, though https://www.drupal.org/docs/administering-a-drupal-site/security-in-drup... → was missing this until I added it a few moments ago. However, nothing stops the admin user from being granted an admin role later.
Install Drupal with the standard profile, disable the superuser policy in default.services.yml, and clear caches. Note the admin user can still admin the site.
Add a status report check warning if the policy is disabled but in practice not taking effect due to additional roles. Personally, I'd be OK with this being an error too, but I think there is a case now where user 1 is a regular named account is being granted admin permissions.
Active
11.1 🔥
base system
Changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to our policies.
Thank you so much for this. I just spent the past hour wondering if I'm misspelling something because my uid 1 had the Admin role. This should at least be mentioned here https://www.drupal.org/node/2910500 →