Along similar lines a transaction variant could work.
More importantly, if you cannot trust users not to change user types then there is no way that they should be allowed to have SU01. A simpler solution would be to tell them not to do it and review change reports. If you detect an anomaly then discipline/remove from your account. Behaviours will soon change.