You could do

userdb {
   driver = username_format=%Lu passwd-file
   args = /etc/dovecot/share.passwd
}

#  /etc/dovecot/share.passwd
test@onnet.ch::::::: userdb_acl=vfile:/etc/dovecot/dovecot-acl userdb_acl_globals_only = yes

should prevent the user from modifying any ACL files.

Aki

On 05.08.2018 17:04, Simeon Ott wrote:
Hello

Is it possible to limit the ability of sharing it’s own mailboxes to only a few users?
We have a few sensitive mailboxes of users where the ability to share via IMAP SETACL should be prevented.

I tried the following so far…
  doveadm acl remove -u test@onnet.ch INBOX user=test@onnet.ch admin

but when doing this the admin rights are still there
  doveadm acl rights -u test@onnet.ch INBOX
  vmail@buserver:~$ doveadm acl rights -u test@onnet.ch INBOX
  Rights                                                                                                                
  lookup read write write-seen write-deleted insert post expunge create delete admin

Thanks in advance for your help
Simeon