according to javadoc, hudson.security.Permission#enabled "allows us to dynamically enable or disable the visibility of permissions, so administrators can control the complexity of their permission matrix".

But setting Jenkins.ADMINISTER.enabled=false has no impact, I still can access all administrative actions. Sounds to me the ACL permission check has to first ensure requested permission is enabled, before it compare with users' granted authorities.