Regarding your last paragraph
> The other issues that can be presented through different levels of admin, those accounts should be admin accounts only
I don't understand your point there. The ability to create projects is available only through Site Admin. And the ability to create users at the Site level (with LDAP authentication enabled) is also only available through Site Admin. These are two relatively simple and innocuous tasks that could be assigned to somebody who would not also need to have the ability to manipulate Site configuration parameters, modify database or application servers, change log levels, or change the authentication parameters. But granting those rights is an all or nothing proposition. Those rights can't be granted to users through assignment to a user group in a project. And, back to the original point of my post, we can't grant levels of Site Admin access.
In our situation, for instance, only two people are fully trained to understand the ramifications of modify Site Configuration items, changing authentication settings, and modifying the database and application servers. We don't want those two people to also be the only two people (for an organization of thousands) with the ability to create users and projects. So, we grant Site Admin access to a small additional group of users. There is nothing preventing those additional users from modifying other data, except that we've told them not to. Luckily, so far, they have complied. But there is no pre-built way for us to prevent them from doing things they shouldn't, except by creating interface applications and then removing those users from the Site Admin group.
Also, at this point the Site Admin module ''documents'' the changes only through the log files, which in my opinion is grossly inadequate. It can't be effectively parsed or reported against. I've noticed that there is an Audit table in the Site Admin schema, but it remains obstinately empty. I've asked on other forums about auditing SA activities, and everybody says all there is is the log files.
Just my humble opinion. Always open to an energetic debate :)