Only users with “Manage users and roles” permissions can assign roles to users, and also to edit role assignments and to manage access to certain contentACCESS objects for second users on his own tenant. Otherwise the pages and options related to these settings (Roles and Users pages, and “manage access to“ option on the respective pages) are not available for the logged on user in Central Administration.
The logged on user’s own permissions define, which roles this user will be able to assign, and which role assignments he will be able to edit.
The logged on user must have equivalent or more permissions on the tenant than the role to be assigned for the second user includes. E.g. if the logged on user has only “Edit all” repository items permission assigned on tenant “X”, but he is not allowed to delete these repository items, then he is not allowed to assign a role for a second user with “Delete all” repository items permissions on this X tenant.
Or if the logged on user is tenant administrator on tenant “Y”, but cannot view the archive mailboxes on his tenant (View mailboxes- not allowed), then he cannot assign a role (and also cannot edit a role assignment) containing permissions to view the archive mailboxes of this tenant.
The administrator can assign a role:
- For a newly created/invited user in the Create/Invite user dialog directly
- for an already existing contentACCESS user using the given user’s “Assign role” context menu option