David E Jones wrote: > The original idea was to use this as an extra protection, ie so users don't > describe a party's relationship with something else using a certain role if > the party isn't really in that role. > > The result, however, is that it is cumbersome, a real pain, and a common > complaint... which is why I'm for changing the default behavior.
Could the ability to assign roles require membership in a different security group? If the user has the ability to assign roles it would do it automatically otherwise it would fail. You might even like to have the ability to partition which roles can be assigned by which users but that might get a bit complicated.
