can a user how control rolls asignment for other user
asign himself system admin ? or any other admin roll ?
If so is there a flag or something to prevent him from adding admin rights but still allowing him to give all other rolls ?
Once a user is assigned with user admin and given the permission of role assigner he can assign any kind of role to others, u cannot restrict him from adding admin roles and allowing him to add oter general roles, u cannot seperate the admin roles and give the permission for the user to allow him to assign other roles.
There is a role by name delegated user admin , the person assigned with this role can only adminster the users present in his group he cannot adminster the users who do not belong to his group.
if i understood ur question well then it is happening because of ume actions assigned to user.
check the above link and assign respective ume action to the user
The user with "USER ADMINISTRATOR " role is responsible for creating users/groups/roles and assigning user to groups/roles.
"content administrator " role is responsible used to work with pcd objects ( ivews/pages/worksets/roles)
"system administrator" role is responsible for craeting system aliases/monitoring/administration kind of things
The user who have super admin role can perform all the above
Hope this helps!