Thanks Alan for responding, OK I get your points. But if I had Admin privileges and could turn on/off or limit user functions based on login it would be even more useful. Certainly someone compromising the machine as Admin is still a threat (HSM etc would help that as you say).
Here's my scenario: I want a User to be able to create, import, sign, and broadcast multi-sig txns, but not be able to import new public addresses, and not be able to spend single sig from his wallet, or at least only be able to spend to whitelist addresses maintained by Admin. Only Admin can import new public addresses, change whitelist etc. Even better would be daily spending or txn number limits.
Am I missing something? Will pay BTC to someone who wants to consult and figure this out, thx