So you want to give users who are not system administrators the ability to manage roles for other users, but you don’t want to give them the ability to elevate their own roles? How do you allow users to manage other users’ roles without promoting themselves to system administrator?
In the role for the user who you want to have the “manage roles” capability, add “assign” permission for “Security Role” on the “Business Management” tab.
This will make the “manage roles” button appear on user forms and views for the users with this role. However, it will not allow them to assign roles that they don’t already have themselves. If the user with the security role assign permission has “salesperson” role, he or she will be able to assign other roles the “salesperson” role. They will not be able to assign themselves or other users a role that they don’t have, such as system administrator.