Role Hierarchy defines if a user can assign some role to other user.

For a user to assign some role to other user, it is required that the current user has appropriate permission to attach roles. For attaching the role, current user should have permission to either of PUT /admin/user_role or PUT /admin/user. Apart from permission check, role level is examined while checking if user is authorized to attach the role.

Each role is assigned a role level value, which is used to determine the user's authorization to assign a specific role to another user. The highest role level value is 0, with lower values indicating higher roles in the role hierarchy. A user cannot assign a role to another user if the role being assigned has a level that is higher than or equal to the role level of any roles currently attached to the user. If you wish to allow users to assign roles with the same role level as the highest role level of their attached roles, you can configure this using the deployment settings API.