Don’t forget to subscribe to our YouTube channel to stay up-to-date.
The roles and permissions system in Drupal is powerful, but it can be tricky to configure correctly. Some permissions give a role too much privileged access where others aren’t granular enough.
An excellent example of this is if you need to create a role to manage user accounts.
Drupal comes with the permission “Administer users” which lets you create user accounts, only give this permission to trusted users.
The above mention permission allows you to create user accounts but you can’t assign them roles without “Administer roles and permissions”. But this permission (“Administer roles and permissions”), will enable you to assign any roles, including the default Administrator role.
From this:

To this:

In some circumstances, you don’t want users who can create user accounts to have the ability to assign any roles, especially the Administrator role.
What if you want to control exactly which roles can be assigned? This is where Role Delegation can help.
Getting Started
To get started, download and install Role Delegation.
composer require drupal/role_delegation
Using Role Delegation
All the module does is offer granular permissions for assigning roles.
Once the module is installed, go to People > Permissions and search for the Role Delegation section.

You’ll notice that you get a specific permission for each role, and you also get the “Assign all roles” for absolute power.
All you need to do is give one of the “Assign {role} role” permission and they’ll be able to assign users into that role.
Assign Role
Once a role has been assigned a few “Role Delegation” permissions, they can assign roles in two ways.
First, if you edit an account you should see the Roles checkbox below Status.

The module adds a new tab on user accounts called Roles. This page has all the allowed roles as checkboxes.

Select a role and click on Save to assign them.
Summary
The functionality that Role Delegation offers should be in Drupal core in my opinion. If you need to control which roles can be assigned then it’s a useful module to add to your Drupal site building toolbox.
FAQ
Q: I can’t see the “Administer roles and permissions” permission on my site?
It was changed from “Administer permissions” to “Administer roles and permissions” in Drupal 9.1.