Settings Application Security Roles

The roles that are available for the Settings application are as follows:

Reader: grants the permissions to view all user, group, or custom role details.
UserEditor: In addition to all Reader permissions, grants the permissions to perform CRUD (Create, Read, Update, and Delete) operations on a user but not grant or remove roles to or from a user.
GroupEditor:  In addition to all Reader permissions, Group Editors can perform CRUD (Create, Read, Update, and Delete)operations on a Group but not grant or remove roles to or from a group.
User Permission Editor: grants permissions to assign or remove roles to or from a user.
Group Permission Editor: grants permissions to assign or remove roles to or from a group.
Security Administrator: grants permissions to access the Security Application (Security > Permissions) in the Orchestration Console. This includes granting permissions to assign Reader, UserEditor, GroupEditor, User Permission Editor, and Group Permission Editor roles to users. It also grants the reports reader roles access to the Analytics applicationfor any scope and the administrator role access to the reports application for the Global Scope.
Settings Administrator (System Administrator): grants permissions to access to the Settings application (Settings > Administration) in the Orchestration Console. The System Administrator can set the system languages, email templates, and also create and modify the business model and stores.

The Security Administrator can also create and edit Custom roles.

Note: The Custom Roles tab can be viewed by a Reader but can only be edited by an Administrator.