What type of edit are you trying to do? The first thing we did was strip it down to bare essentials and renamed some of the text. Our help desk found some of the code types to be confusing.
We changed... Unlock user to "Temporarily Enable", since it doesn't unlock a bad password lockout.
Reset token to "Unlock and Reset", since it resets their password and removes a bad password lockout.
After one of the code updates (allowed sbadmcl utility to issue recovery codes) from late 2006, we actually rewrote the whole thing in PHP to allow more control of what actions can be performed by help desk people. We filtered out any password change codes for support accounts or machine codes for xxxx-STOLEN, xxxx-CSIRT, xxxx-LOST. We also built tools for the help desk to add/remove users to/from machines, list users for machines, get cleaner data from Reporting Tool, and prep a machine for reimage (rename existing registration to xxxx-RI(1+). This also helped the help desk by removing the need to remember a separate SafeBoot password for the web-site. They could login using their normal domain credentials (and I didn't have to setup special permissions for them in the console).
As far as how to handle help desk people (not second level support), web-ify everything they do. Don't give them the console if you don't have to. It is easier to read a text log (output from PHP with who did what) than check the SB audit on anyone who might have done that horrible thing (especially if it were a delete, which would only retain the object ID of the deleted entry, not the name).
Bah... you said self-recovery. Umm, we just disabled that and have them call the help desk. If they screw up their password, they normally can't get to a web page to fix themselves (if using Device Encryption). I guess it could work for mobile devices or Content Encryption.
Same rules apply for hacking those web pages though. Remove any action you don't want them to do, remove any admin links or links to SafeBoot/McAfee. You don't want users trying to get help directly from the vendor.