Permission for release def security editing in TFS

TFS 2015 R2. I have a release definition. I'm trying to disallow editing of it to collection administrators (only server administrators can edit). Here's the current setup:

Permission inheritance - Off
Administer release permissions, Edit release definition, Edit release environment - Not set for all groups except server admins, Allow for server admins

The collection admins indeed can't edit the def in question, but they can change the security on it, letting themselves edit again. Any way to disallow permission editing? Seems like none of the release def permissions covers editing permissions themselves.

Setting Deny for coll admins and Allow for server admins doesn't work, since the latter group belongs to the former; even as you set Allow, when you try to save, it switched to "Inherited deny".

EDIT: take 2, changed Administer release permissions, Edit release definition to Deny for all groups with Allow for myself. The coll admin can still mess with permissions.

UPDATE: reported that to Microsoft, if you're experiencing this too, click here and upvote.

Solution

Update2

Even though a TFS server admin could do anything in TFS server, however not all TFS permissions be defined in TFS Server group. This is why Team Foundation Administrators group be added in Project Collection Administrators group by default.

So your permission in the collection (even though you are a TFS server admin) is also granted from project collection administrator group. How does a windows admin to disallow another windows admin? It's the same concept. So you may have to either orallyinformed them or move them out of the project collection admin group. Add the users in another group.

Update

It's able to directly deny the collection admins to edit the release definition. However, it's not able to disallow them to edit the permission back themselves. Members of the team project collection group can perform all privileged operations on the Team Project Collection.

Besides, there is no such related permission to disallow someone in the team project collection group to edit the release definition permission. Seems we can only through the notice restrict they modifying the set permissions on the release definition.

In TFS deny trumps allow. You could add all your collection administrators to a particular group. Then you just need to disable this particular group permission to edit the release definition.

After changing the Edit release definition to Deny for project collection Administrators group. It's not able to modify the release definition for me which in the project collection Administrator group now. The adding task is grayed.