Previously, dynamic authentication was introduced that allows a SAML IDP to provide role to assign to users. This behavior is a loophole to the above problem since anyone who controls the IDP could give admin access to LiveNX.