When logged into the SEP Mobile Management Console (MC) using an account which has been assigned the Viewer role, it is observed that the user appears to have the capability to change settings, which should only be possible using an account with the Full Admin role.
For example, a user with the Viewer role can adjust settings on the Protection Actions page, and when doing so will be prompted with the same orange warning banner which an Admin would receive before committing a change:
This is expected behavior. If a user with the Viewer role were to actually try and Apply a settings change in any part of the MC they would be denied:
To confirm any recent config changes in the MC, please refer to the Admin Audit Log:
For information on managing logins for the MC please refer to the product KB: