I think what you are saying is how can you stop someone from just granting themselves rights to the DB Config section of Maximo. I did something with different security groups and would have to play around with it in a lower environment to remember what I did. But basically, I wrote a few CEM Rules and added some data restrictions. The rules basically were that there were tiers of administrators. I think I might have changed some of the relationships but it was about 2 years ago so it all a big fuzzy.
Top tier was MAXADMIN and you could grant anything and could see anything.
The next tier was BUSADMIN and there were conditions you could not see on the ApplicationAuth table and you could not grant anyone MAXADMIN or BUSADMIN rights.
The next tier was SUPERUER and they had more things they could not see on the ApplicationAuth table and they could not grant MAXADMIN, BUSADMIN or SUPERUSER rights.
You will need to look at people who can add people into security groups with DB Config rights as well as stopping people from granting those rights to new or existing groups. I remember that I checked the current users rights and compared it to the groups inside the CEM Rules and the relationships. Hope that gives you a head start.