In the App security→ user role tab there is an option, where you can select which user role can manage which user role, You can refer to the image below ,
Just select the user role which you want to manage by the current user role.
Let me know if you face any issues,
Hope it helps!
Being honest, I don't think you should limit your admin account to only manage principal accounts. As you as an admin should have access to deal and manage everything in your project.
For the other accounts, you could create an entity “person” and other 3 entities which would be inherited from the person entity. Like this:
Assuming you followed the domain model I suggested above. You could manage the “person” inherited entities permissions to tell what each
role in your system will do with each person entitity.
For the “principal” entity:
While the admin role has full access:
The other roles will have only read access: