I am using LDAP authentication.

When a user logs into Zabbix using their LDAP credentials, a Zabbix user is autocreated for them via /usr/share/zabbix/include/classes/api/services/CUser.php lines 987 onwards.

Line 1002 states

$ldapUser['usrgrps']            = 7;

Which means that all auto-created users are created as Zabbix Administrators. This is not desirable as it allows all auto-created users full access to change the configuration of Zabbix - including the ability to change the authentication configuration.

The user groups that auto-created users get added to should be made configurable via the LDAP authentication configuration.

A strong argument could be made that the default should not be to add the auto-created users to the Zabbix Administrators group.