I current version of EJBCA (6.3.2) the administrator is allowed to change the options "Keep Active" and "HealthCheck" on the "CA Activation" page even if he/she has insufficient privileges.
Upon attempting to change these two options (by clicking on the and hitting the "Apply" button), the administrator will be presented with error messages (for example):
Administrator 'CN=BLAH' not authorized to edit CA BLAHBLAH.
It would be better if the check-boxes were greyed-out in such a case (maybe even the Apply button should not be present). This would give more confidence in what the administrator is actually able to do.