We have a situation where too many site owners in our organization who aren't fully trained in SharePoint have "Full Control" permissions to various sites right now, and it's starting to bite us a little bit (because they accidentally do things that cause problems). Since I can't edit the "Full Control" permission level (it's one of the protected ones), I created a new permission level that has the set of permissions I want.
However, since the new permission level still includes the "Manage Permissions" privilege (because we do want site owners to at least be able to manage which users can access their sites), I'm worried that users with the new permission level will be able to go back in and just re-assign themselves (or someone else) "Full Control" permissions.
Is there a way to keep users from being able to assign the "Full Control" permission level but still be able to assign others?
I'm kind of wishing that something existed for permission levels like what exists for content types and page layouts where I can define a bunch at the top (site collection) and then "filter out" what can be selected for any site below that.