Reading that issue https://www.drupal.org/project/drupal/issues/366950, I discovered that after 10 years, Drupal is still not able to provide an extra permission allowing to assign roles to a user w/o being able to manage all the permissions...

When you create / edit a user, if you don't have the 'administer permissions' permission, you are not able to assign a role to that user.
That's not logic at all.

We should have at least 2 permissions *:
- manage permissions (granting access to /admin/people/permissions)
- assign users roles (allowing to assign a role to a user)

These 2 actions are completely different and might be done by different roles. Opening the permissions management to a role just because we want that role to be able to assign roles to users might be a problem if not a security issue !

* I said "at least" cause it would be even better to have a permission per role like :
- assign 'administrator' role to user
- assign 'another role' role to user
- etc.

I think there's a huge lack of granularity here.

Comments

MacSim created an issue. See original summary.

macsim’s picture

macsim commented
Issue summary: View changes
macsim’s picture

macsim commented
Status: Active » Closed (duplicate)

My bas. This is kind of duplicate content => https://www.drupal.org/project/drupal/issues/151311