In a typical medium to large sized rollout, you'd want a manager to be able to view their own reports and also create/edit user accounts with the ability to view some subset of the reports that the manager can view.
The last part is doable, but if I add a custom role the problem is that giving that role access to the user
administration gives them access to administer ALL the users, not just their own users.
Relatedly a non-technical user finds it confusing that there are two different places that look the same (repository vs. repoAdmin, i.e. View vs. Manage menus), but that if you end up in one the permission functions are missing, but in the other they are there.