Right now, when you enable fine-grained permissions to users you must grant
to a specific user the "manage-users" roles. Otherwise, you will not be
able to see the "Add User" button even though you have a permission
granting the "manage" scope. It is quite weird actually, because you can
This is because in UI we are checking only for "manage-users" when deciding
if this button should be shown or not.
One thing we could do here is change admin console to query for current
user permissions using the Entitlement API and use the permissions returned
in the RPT to decide whether or not something in the UI should be displayed.
I did some tests here and this approach seems to work fine and I think it
will improve a lot how we are handling permissions in admin console.