Roles without a specific string in their name (default ‘Admin‘) should not be given rights to manage other roles.
So their user management permissions should look like:
Choose selected and no roles. Also do not select ‘(No user roles)’ as that means you can manage users that do not have a user role.
The default is that group names with ‘Admin’ in the name can manage users.
Noncompliant example:
Compliant example:
