Euh.... so you want to allow an user to change its own role. Nice security feature.

As you might grab from above, thats a really bad idea. 

1. You cannot change the security access Rules in the system module ( its for a reason;-) )

2. You can assign a userrole to "manage users with at least the following roles" this will allow a user to use, select and manage that role(s) <my advise, don't use it

So basically; rethink the needs of the app

//Edit

You want that users can filter certain type of users.

My advise is to NOT use the User and/or Account entity for the other then account handling/login of users. All process details of an app user should be stored in a separated entity, with a 1-1 reference to the Account entity.

For example you have a list of employees using the app. User contains their Username, password and reference to a role. This is ONLY for authentication when accessing the application. The employee details used in the app, such as full name, function, email address etc. should be part of the entity Employee, which has a reference to the account entity.

You make a valid point: why are we not able to just set read access to the user roles of other accounts so we can display, say, other same role accounts?

It feels weird to say that users are managing each other to achieve this goal (associating something to their Account without having the right to change their user roles etc.).

You don't want to manage their user, but just their account.