Why do providers have access to the Admin UI & super user functions?

Platform: 1.11.2 OpenMRS 2.2

Why is that a user with role as organization:doctor and provider role is able to access the admin UI and perform all the functions as super user.

Is this bug ? whats the status on the fix?

Please update.