Let user without permission add a role

I don't have any specific examples, but you should be able to achieve it using a combination of a custom component and custom endpoint:

1. Create a custom endpoint that takes the login of the user to grant the new role to. It checks the current user is a superuser, and if they are adds the role to the specified user using a restadmin call (which will call the API as an admin).
2. Create a custom component, which is only displayed to the appropriate users, that calls the custom endpoint. You will need to have a way for the super user to specify the username to grant the role to.

You'll need a concrete way of identifying superusers - presumeably based on a certain role. You'll also need to think of where to put the custom component (maybe a custom page).

The approach suggested by nathan seems solid. You may also want to either hardcode the role to grant (in the endpoint), or if it is passed as a parameter, that the parameter is checked against a whitelist of roles that the superusers are supposed to be able of granting (just to avoid someone exploiting the endpoint to add arbitrary roles)

Thanks guys, I think I understand the principle of how it's supposed to work now. The only way to elevate a user's permission is to use Freemarker to do a restadmin call/post, and that needs to be done with the help of a endpoint. My problem is having an actual example. Without a working example of a component and a endpoint I'm lost.

Tim_h you are my star. I wish I could give you more kudos. Thanks so much :)