How to make this work with UserManager role?

[lorenzulrich]

A person having the Neos.Neos:UserManager role is allowed to create/edit users with the same or lower privileges - based on their roles.

When using Sandstorm.NeosAcl, you will normally assign Neos.Neos:LivePublisher (or Neos.Neos:Editor) to such users so the dynamic roles don't need to be assigned explicitely.

However, if they don't have these roles assigned explicitely, they technically don't have the same or higher permissions than users with dynamic roles, therefore they can't edit, remove or impersonate them.

How could this be solved? I was thinking about a parent role Sandstorm.NeosAcl:DynamicRole that all dynamic roles inherit from, ut I'm not sure if this would solve the problem?

Steps to reproduce

• Log in as Administrator.
• Create a dynamic role Foo.
• Create a user user-manager with roles Neos.Neos:Editor and Neos.Neos:UserManager.
• Create a user restricted-editorwith permissions RestrictedEditor and the dynamic role Foo.
• Impersonate user user-manager and go to the user management module.

Expected behaviour

• User user-manager can edit/remove user restricted-editor because they (implicitly) have higher permissions.

Actual behaviour

• User user-manager can't edit/remove user restricted-editor because they don't have the dynamic Role applied.

Workaround

• Assign all dynamic Roles to user user-manager.

[lorenzulrich]

The determination whether editing/deleting/impersonating a user is allowed is based on https://github.com/neos/neos-development-collection/blob/9.0/Neos.Neos/Classes/ViewHelpers/Backend/IsAllowedToEditUserViewHelper.php. Here, there is a comparison between the number of roles of the UserManager user and the user to be edited/removed/impersonated. This is a but undercomplex and maybe not so much a topic of NeosAcl.