You write the use policy, the developers write the system policy. You merely configure the system policy to ideally be in line with the use policy.

At the end of the day you have a policy of access controls... and then an account that completely voids that policy. Not sure why you have difficulty in grasping that fact... but then you have a problem grasping many facts...

cheers,

catch