Account Roles created at the root-account level automatically 'trickle down' to the sub-accounts and there is currently no way to prevent this from happening.
It would be great to be able to create root-account level roles that are not available in the sub-accounts. For example, we have created a 'Masquerade' role, where the *only* enabled permission is to 'Become other users.' This permission is not available at the sub-account level, but the role trickles down anyway. This means that people can grant users sub-account admin roles that will not work as expected.
Additionally, we have created other Account Roles that are only intended to be used at the root-level (such as Service Accounts, or fully permissioned Account Admins), so it is confusing for those roles to exist at the sub-account level as well.
https://community.canvaslms.com/groups/harvard?sr=search&searchId=5d3b211b-e9d8-4b1c-a11a-2d004a3695...
