How to make sure there is no rule allowing Audit Privilege user to update security?