Functionality involving Users and Roles has been designed to ensure that users are not able to increase their own access to the system. Most users will not have the ability to even see the setup of Security Roles. Others will be able to see how they are defined, but will not be able to change them or apply them to users.
Only administrative level users with at least Modify privileges applied to the three security domains Users, Roles, and Role Memberships will be able to change privileges for users. Even then, an administrator is completely restricted to activities within his or her own privilege levels.
The ability of any particular User to see other Users or to make use of Security Roles will depend on that User's permissions and the Data Context for those permissions.
Example 1 - Visibility of Roles
John is an administrator with only Read privilege on the Portfolios security domain. He would like to assign the role of Data Manager to Susan, but that role includes Modify privilege on the Portfolios security domain. Because a Data Manager has a higher privilege in that one security domain than John has with his own Role(s), he will not be able to assign that role. The role Data Manager will not appear as a pick list entry during the role assignment process...it's invisible to John because it contains a security privilege beyond what John himself has. This restriction is necessary to prevent Users from gaining access to privileges they don't already have.
Example 2 - Visibility of Users
Sue has a role membership with a privilege of Read or better, allowing her to see other Users within the context of Data Source 1, Portfolio A. She will be able to see only those users with role memberships in the same or lesser context as the role membership that allows her to see other users. She will be able to see Jim, who has a role membership restricted to Data Source 1, Portfolio A but will not be able to see Jennie, who has a role membership restricted to Data Source 1, Portfolio B.
There is no limit on the number of users that can participate in a MEC subscription, so this restriction ensure that the list of other users visible to each particular user remains relevant and manageable.