I started working on a new role that will be seeded by default - canned admin. It will be somewhat complimentary to organization admin. It will allow users to create taxonomies and users. It will allow adding users to organizations/locations, but it will not allow to view or manage any other resources. This role will also be allowed to view settings and edit them.
The most significant changes:
- permissions for settings were introduced and settings can be viewed/edited by users with these permissions (previously only admin could do that)
- permission for escalating roles. Until now, only roles that User.current has can be added to another user. Canned admin does not have roles and permissions to manage resources, but they need to be delegated to a new user. At the same time, canned admin shlould not be able to escalate these roles for self and gain access to manage other resources.