I don't remember why I did this initially but adding "Site Administrator" as a role to the ZMI root (normally created within Plone) seems to have adverse effects on Plone sites created after that point. For those sites, the Site Administrator role will not be visible as a role you can globally assign in Plone on the users or groups page, and is not visible in acl_users/portal_role_manager either. Debugging, you can see it's not in
After a lot of digging, I found what was going on in GenericSetup/rolemap.py. The base profile CMFPlone:default should be adding Site Administrator role from its rolemap.xml. This import step checks the incoming roles against "site.valid_roles()" before adding them though. It is in valid_roles so it never gets added to
__ac_roles__. It looks like valid_roles accounts for the role being assigned in a parent, which it is. But almost everything else in Plone only looks directly at
I'm happy to file a bug report on this but wanted to check if this is just not meant to be supported. Again, I don't even remember my original intention here so I'd be ok to drop it.