I think there is a problem with regular expression in file etc/org.apache.karaf.command.acl.system.cfg
Specifically:

start-level[/.*[0-9][0-9][0-9]+.*/] = manager # manager can set startlevels above 100
start-level[/[^0-9]*/] = viewer               # viewer can obtain the current start level
start-level = admin                           # admin can set any start level, including < 100

I think the first one (for manager) should have the first numeric bracket starting with 1 except for 0.

The 2nd one means, I can run

system:start-level

as a viewer, but the 3rd regular expression says, that only admin can do that. Isn't it supposed to be, that

system:start-level

can be run by every user and

system:start-level

with number < 100 only by admin? So that 2nd regex should be:

start-level[/.*[0-9]([0-9])?.*/] = admin