Currently, “Manage Users” permission encompasses 1) Inviting users, 2) Confirming users, 3) Adding them to groups (without actually having ability to modify Groups or their Access to Collections). Additionally, the “Custom Permission” user cannot modify his/her own group membership, therefore cannot give himself unauthorized access to collections
However, a malicious “manager” could send invite to alternative email, confirm user, and grant that alternative email user access to any group.
The “Invite users” should be a separate permission from “Manage users”
However due to asynchronous nature of the signup process, the “Confirm users” action should remain under “Manager users” permission. This way, a malicious manager cannot invite alternative email for his own benefit. But after a user has been invited by some other admins, the manager is still fully capable of “managing users”, with confirm and group assignment.