Make it possible to configure the access rules for the System.User entity.
Currently you can only manage access to System.User by the User Management setting (Allow users of this role to configure users of that role).
This has several drawbacks:
* In a setup with multiple tenants / departments where you usually have a GlobalAdmin/LocalAdmin/User role you usually want that LocalAdmin can manage Users. However with the current user management a LocalAdmin can NOT be restricted to only users of his department/tenant. I.e. a LocalAdmin of tenant A could change users of tenant B
* User groups are not always defined by roles, but may be defined by other properties.
* It's not possible to control user management on attribute level. (e.g. allow a local admin to only change the Active attribut / dissallow a user to change his language)
In Multi-Tenant setups these restrictions lead to many problems or require complex workarounds. And as we all know, the more complex something is, the more errors are made w.r.t security.