Add privileged commands that manipulates a user's roles to detain them.
Requirements:
I'm not sure if there's a facility to check role permissions like that easily. It might be better to just define a list of roles in the config that meet these criteria for the admins to set.