If you're at this site, you're probably wondering, "Can root do it?" The answer is always, "Yes." And root can mean Administrator, sa, system, sys, or any other "God-Level" account on a particular system or app.
I've been in IT for over 25 years, and this domain was created because I've talked to countless people that have asked, "how can I block [insert synonym for root here] from doing <x>?" And the answer is, you can't. Whomever you hired and given root privileges can do whatever it is you don't want them to do to your system.
Perhaps you shouldn't have hired them, if you're asking this.
Perhaps you didn't understand that "root" means "root."
Perhaps you think there is some true way to segregate duties that the almighty super-user has.
I'm here to dispel you of those myths.
Root can do it.
So now what do you do? Well, this site will seek to answer those questions, but its not going to be by limiting the root user. It will be through other means that can ease your concerns, but not completely eliminate them.
Ultimately, if you don't trust someone with root, don't give it to them.
Giving credit where credit is due; this domain is not my idea, but comes from a former colleague (Matt P) that kept saying, "Root can do it. I'm not sure what these <customers/app owners/people/users/etc.> think. Root can do it, and that's just it." Like him, I got tired of explaining that if someone has root, and wants to do something, they can do it. You can track it, record it, log it, alert on it, and do all sorts of other things, but you really can't stop it. At best, you can slow it down, make it harder, and be prepared to react to it. Or ... don't give it out.
Some links I've found useful over the years: