[AccessControl] Ability to deny admins from revoking other admins

🧐 Motivation

Suppose we have common roles hierarchy like: Operator Admin => Operators. Operators can do certain daily operations. Operator Admins can manage operators. Admins can also add other admins or renounce themselves. This is OK.

But what if one of admin’s private key leaks to public? In this case, we want to prevent this admin from revoking other admins to maintain a partial control over the system. Otherwise leaked private key can be used to add another hacker’s private key and revoke all other operator admins from the system capturing and sealing hackers permission over operators forever.

So it make it a better permission model to disallow any member to revoke other member of its kind (same role) for the top role in the hierarchy.

BTW

It was the case in the v2.3.0 for Whitelisted Admin role but I am not sure why it was changed: I don’t see the ability for an admin to revoke other admin here: https://github.com/OpenZeppelin/openzeppelin-contracts/blob/release-v2.3.0/contracts/access/roles/WhitelistAdminRole.sol.

It looks like a downgrade in security model.

📝 Details

As far as I understand, AccessControl.sol can not be configured this way right now. We need an addtional configuration option in RoleData like:

 struct RoleData {        
   mapping (address => bool) members;        
   byters32 adminRole;
   bool revokingOtherMembers;    
 }

This option can determine if a member can revoke other member.