I read that documentation.
While I agree the administrator would not add/edit/delete operations, it is perfectly logical that they could create tasks based on operations and that they would be able to look at existing tasks/roles to see what operations they perform.
Imagine that you as a developer created some roles and tasks for what was needed. As a developer you cannot be expected to know all the ways the authorizations can and will be combined...and you do not care. That is what makes this product so
great. When the administrator needs a set of operations for a group of users, they just create a task attach other tasks/operations and go. Developer does not need to be involved.
Additionally you can give authorization at the operation level if you had to.....but the developer is not the one giving authorizations....and that option is not available to administrators.
What I am saying is that when you go into 'administrator mode', it should turn off the ability to add/delete/remove operations, but not remove them from being shown or added/removed from tasks/roles. (The other regarding of local user/groups/etc change