Smart Access Point Pro, permissions bug?

If I understand the manual of the D04011 Smart Access Point Pro, a user with role "main" should not be able to change the permissions of a user with role "admin". Unfortunately this DOES seem to be possible! If I login as a "main" user and try to delete a cylinder for an "admin" user for example, the web UI flashes up a message saying "insufficient permission" or something similar, but then it carries out that action anyway! Has anyone else experienced this? Maybe I've understood things incorrectly, but if correct this would be a major security bug!