Different permissions for user/role/permission/rules management

[tsdogs]

Feature request: I'd like to be able to specify some permissions/roles able to create/update/delete only roles and users (so they cannot mess up with permissions and rules)

Also it would be nice to have them not be able to add this specific permissions to themselves.

[mbunyan]

I think this suggestion raises similar problem to issue/104 where admin role or similar role should approve user. For example:

1. new user can signup, but cannot do anything except accept privacy statement and see selected pages
2. admin sees flag or message to approve or decline new user
3. admin role, or similar role, can approve user and assign role/permission
4. user gets approved or declined message

The user should not be able to change their role/permission, or be able to see any other user details except profile name unless this is a delegated role to act as 'role/permissions' manager. The security and privacy rules have some overlap in this situation.