permissions design needs review
The permissions to edit a CI based on being an admin of the CI are easy to subvert, since anyone can edit the cluster relationships. Holding the cluster relationship editing to the same restrictions is not a viable option however, because we run into a chicken and egg situation where someone is responsible for a system, but that is not reflected in CMDB yet, and they can't fix it. Requiring human approval/intervention in this process would by a huge bottleneck and a significant dis-incentive to keeping CMDB correct & complete.
One option is to keep the CI editing permissions checking in place for the non-relationship aspects; to allow any and all editing of relationships by anyone including the now blocked adding and removing direct (non-cluster) relationships, but adding an email notification to the current primary sysadmin(s) as a protection against unwanted changes.