RoleAssign

RoleAssign specifically allows site administrators to further delegate the task of managing user's roles while withholding the Administer permissions permission.

RoleAssign introduces a new permission called Assign roles. Users with this permission are able to assign selected roles to still other users. Only users with the Administer permissions permission may select which roles are available for assignment through this module.

RoleAssign is ideal for smaller sites with a system administrator and one assistant administrator role that should be reasonably restricted in what it allows. For larger sites with multiple levels of administrators or whenever you need finer-grained control over which role can assign which other role, check out Role Delegation. See #961682: Does the role delegation module supersede this module? for a short discussion of the relative merits of the two modules.

Background

It is possible for site administrators to delegate the user administration through the Administer users permission. But that doesn't include the right to assign roles to users. That is necessary if the delegatee should be able to administrate user accounts without intervention from a site administrator.

To delegate the assignment of roles, site administrators have had until now no other choice than also grant the Administer permissions permission. But that is not advisable, since it gives right to access all roles, and worse, to grant any rights to any role. That can be abused by the delegatee, who can assign himself all rights and thereby take control over the site.

This module solves this dilemma by introducing the Assign roles permission. While editing a user's account information, a user with this permission will be able to select roles for the user from a set of available roles. Roles available are configured by users with the Administer permissions permission.

CodeKarate has a nice introductory video showing how to use RoleAssign.

Please note!

RoleAssign works well for straight-forward scenarios. However, because it requires giving the Administer users permission to the deputy administrators, it may not be suitable for advanced scenarios. See #2962720-5: Users with "administer users" permissions can manage users that have a more privileged role for a discussion of some aspects of roles that are outside of the scope of RoleAssign. Specifically, but without claim to completeness, the following scenarios can lead to potential vulnerabilities of your site:

1. Installing additional modules beyond core's user module that provide functionality to administer users and/or assign roles. RoleAssign may not be able to limit the list of available roles in those modules, at least not without some module-specific extension, such as #3114240: Restrict roles when adding users with the CAS module. This includes the "Administration: Users" view in the popular Administration Views module, if made available to the deputy administrators.
2. Having more than two levels of user administrators. User 1 (or equivalent) is protected by core and RoleAssign. However, if there is an intermediate level between user 1 and the RoleAssign-restricted deputy administrators, then the latter may try to take over an intermediate level administrator account by using the power granted by the Administer users permission. Some users have reported success in such scenarios by adding the User protect module.
3. Using roles for controlling assets beyond permissions; there may be other ways to gain access to those assets than assigning roles.
4. Generally, the Administer users permission is a security-critical permission, with or without RoleAssign. Do NOT give it to anyone who you don't trust!

If you use more modules than Core and RoleAssign (as most everyone does, of course), be sure to consider potential interactions that could weaken RoleAssign's effectiveness.

Core Issue in Drupal 7 (outside of RoleAssign)

RoleAssign and similar modules typically secure the Administer users permission. However, that permission has the ability to change the Administrator Role on admin/config/people/accounts/settings, which is a serious threat in this context (see #1356964: Hide the Administrator role selection in admin/config/people/accounts unless the user has the 'administer permissions'). The FixCore module has a fix for this issue.