I read http://wiki.dreamhost.com/Account_Privileges and thought it made pretty good sense. All the boxes are left unchecked by default when you add a new Web ID, so it seemed to me like a simple matter of "check the boxes that you DO want the person to be able to do". And stay away from giving them access to your plan, or your billing, or any of the "all" choices. Only give them the very specific domains and users that you want them to have access to.
I was trying this out with a test user, to make sure I understood the feature properly. Here's what I did:
I added a Web ID using my work email address (as opposed to my personal one). I gave it access to one domain (let's call it foo.com) and one user (let's call it bar).
I clicked "Log out", and logged back in as the new Web ID, with the password it gave me.
I tried creating a new domain. It (correctly) told me I couldn't.
I tried creating a one-click install (easy mode). I gave it a domain underneath foo.com (that I'm supposed to have access to). It let me, which is OK.
I tried creating a one-click install (easy mode) in a domain underneath bar.com (something that that web ID was not supposed to have access to) and... it let me!
At least it doesn't let you delete one-click installs that aren't underneath a domain that you don't have access to.
Is there a way to basically say "this Web ID can't do ANYTHING except what I have specifically allowed them to do"? Not even one-click installs?