diff -u b/core/lib/Drupal/Core/Action/ActionInterface.php b/core/lib/Drupal/Core/Action/ActionInterface.php
--- b/core/lib/Drupal/Core/Action/ActionInterface.php
+++ b/core/lib/Drupal/Core/Action/ActionInterface.php
@@ -73,6 +73,7 @@
    *   The action operation.
    * @param \Drupal\Core\Session\AccountInterface $account
    *   The user account to be checked.
+   *
    * @return bool
    *   If the given user account is allowed to access this action.
    */
diff -u b/core/modules/user/tests/src/Functional/Views/BulkFormTest.php b/core/modules/user/tests/src/Functional/Views/BulkFormTest.php
--- b/core/modules/user/tests/src/Functional/Views/BulkFormTest.php
+++ b/core/modules/user/tests/src/Functional/Views/BulkFormTest.php
@@ -113,19 +113,10 @@
     $this->assertTrue($anonymous_account->isBlocked(), 'Ensure the anonymous user got blocked.');
 
     // Test the list of available actions with a value that contains a dot.
-<<<<<<< HEAD
-    $this->drupalLogin($this->drupalCreateUser([
-      'administer permissions',
-      'administer views',
-      'administer users',
-    ]));
-    $action_id = 'user_add_role_action.' . $role;
-=======
     $this->drupalLogin($this->drupalCreateUser(['administer permissions', 'administer views', 'administer users']));
     $role_id = strtolower($this->randomMachineName());
     Role::create(['id' => $role_id])->save();
     $action_id = 'user_add_role_action.' . $role_id;
->>>>>>> 94ad5ece95 (Applying patch from issue 2846365 comment 67)
     $edit = [
       'options[include_exclude]' => 'exclude',
       "options[selected_actions][$action_id]" => $action_id,
diff -u b/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php b/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php
--- b/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php
+++ b/core/modules/user/tests/src/Unit/UserAccessControlHandlerTest.php
@@ -286,16 +286,9 @@
       ];
       $access_info[] = [
         'field' => $field,
-<<<<<<< HEAD
-        'viewer' => 'emailViewer',
-        'target' => 'owner',
-        'view' => $field === 'mail',
-        // See note above.
-=======
         'viewer' => 'account_with_admin_perms_perm',
         'target' => 'owner',
         'view' => FALSE,
->>>>>>> 94ad5ece95 (Applying patch from issue 2846365 comment 67)
         'edit' => TRUE,
       ];
     }
only in patch2:
unchanged:
--- a/core/modules/comment/tests/src/Unit/Plugin/views/field/CommentBulkFormTest.php
+++ b/core/modules/comment/tests/src/Unit/Plugin/views/field/CommentBulkFormTest.php
@@ -34,6 +34,9 @@ public function testConstructor() {
       $action->expects($this->any())
         ->method('getType')
         ->will($this->returnValue('comment'));
+      $action->expects($this->any())
+        ->method('access')
+        ->willReturn(TRUE);
       $actions[$i] = $action;
     }
 
@@ -41,6 +44,9 @@ public function testConstructor() {
     $action->expects($this->any())
       ->method('getType')
       ->will($this->returnValue('user'));
+    $action->expects($this->any())
+      ->method('access')
+      ->willReturn(TRUE);
     $actions[] = $action;
 
     $entity_storage = $this->createMock('Drupal\Core\Entity\EntityStorageInterface');
only in patch2:
unchanged:
--- a/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php
+++ b/core/modules/user/src/Plugin/Action/ChangeUserRoleBase.php
@@ -99,4 +99,11 @@ public function access($object, AccountInterface $account = NULL, $return_as_obj
     return $return_as_object ? $access : $access->isAllowed();
   }
 
+  /**
+   * {@inheritdoc}
+   */
+  public function userAccess($operation, AccountInterface $account) {
+    return $account->hasPermission('administer permissions');
+  }
+
 }
only in patch2:
unchanged:
--- a/core/modules/user/src/UserAccessControlHandler.php
+++ b/core/modules/user/src/UserAccessControlHandler.php
@@ -88,9 +88,10 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
     // Fields that are not implicitly allowed to administrative users.
     $explicit_check_fields = [
       'pass',
+      'roles',
     ];
 
-    // Administrative users are allowed to edit and view all fields.
+    // Administrative users can edit all fields except password and roles.
     if (!in_array($field_definition->getName(), $explicit_check_fields) && $account->hasPermission('administer users')) {
       return AccessResult::allowed()->cachePerPermissions();
     }
@@ -139,6 +140,8 @@ protected function checkFieldAccess($operation, FieldDefinitionInterface $field_
         return ($operation == 'view') ? AccessResult::allowed() : AccessResult::neutral();
 
       case 'roles':
+        return AccessResult::allowedIfHasPermission($account, 'administer permissions');
+
       case 'status':
       case 'access':
       case 'login':