Permission issue for users

Enonic version: 6.7.3

If I give a user the “Users Administrator” role he is still not able to create new roles. It looks like we need “Administrator” role in order to create roles, but that doesn’t really make any sense. I want to avoid giving my users “Administrator” access as that will give them the “Welcome Tour” where almost everyone ends up installing three apps and lots of content in their site. “Users Administrators” should be able to create new roles?

Thing is, if “users admin” can give other users system.admin permissions we have a problem. Currently there is no differentiation on who can create or edit a single role. This is why only system.admin can manage roles for the moment.

Also, roles are highly specific objects - intended to be managed by applications primarily. Why would you want to enable “users” to create new roles? Why not use groups?

The idea was that we create roles for the different permission types (write access to certain folders). I guess we can rather use user groups and give access to the group rather than the role. I just felt that it was weird a “Users Administrator” could not administrate everything in the “Users” app.

I see your point indeed…