Is there a way to unimportRoles or disable capabilities for a certain role? I don't believe so based on the documentation:
<capability> = <enabled>
* Roles inherit all capabilities from imported roles, and inherited
capabilities cannot be disabled.
importRoles = <string>
* Semicolon delimited list of other roles and their associated capabilities
that should be imported.
* Importing other roles also imports the other aspects of that role, such as
allowed indexes to search.
We would like to create a custom role to override inherited capabilities. An example would be a system account which has less capabilities but has inherited user role capabilities. Right now it seems like an RFE.
One solution might be to create a new role (ie. user-system) with fewer capabilities than the normal 'user' role. Then have your 'system-account' role inherit this new 'user-system' role along with the capabilities assigned to it.
Thanks for your response but this is not what I'm looking for. Since group membership allows a group owner to add their system-account to their own group, the system-account then inherits user capabilities. Even if I find out about the system-account and drop it into a system-account-role, it doesn't uninherit the capabilities already granted by a user role.
This is why I am looking for a way to uninherit or disable capabilities.