Delegated user administration enables distribution of user administration between several administrators so that each administrator is responsible for a particular set of users. This delegation reduces the number of user administrators that have full authorizations in the portal. With this assignment, users can neither assign roles to groups, nor change the actions assigned to a role. The issue is that these users are now able to amend all existing user profiles. They can administer all available user profiles (modify, delete, lock, unlock, reset password etc.).
The reason for this issue is that vital actions like "UME.Manage_All" and "UME.Manage_Users" are assigned to the delegated user admin role (pcd location:portal_content/administrator/ user_admin/delegated_user_admin_role). Any role that has the "UME.Manage_All" action automatically has role assigner permissions for all roles. Make sure that only the action "Manage_Role_Assignments" is assigned to the delegated user admin role. This provides permissions to assign portal roles for which users have role assigner permissions to users within the assigned company. "Manage_Role_Assignments" is the default action for delegated user administration.