There is a number of situations in any application... especially when working for a client that you want to give the user the ability to add users but you don't want to give the the level of the "system administrator" which is the highest admin level in the system.
For example... I often create a role for my clients that disables certain features that you just don't want them to touch... editing templates etc. to stop them from accidentially stuffing something up. These users however still need to be able add new employees etc without bothering me, also you may want to just hide features.
However, if you give them the ability to add users in Sitefinity they automatically have the ability to add themselves to the administrator account and have access to settings and things you don't want them to have access to... it's almost like you need the ability to stop a user from assigning a role with higher privledges than they have in the system - don't know how you do that though?
Or maybe you should consider a way to just protect the admin account.
I was talking to Sean about this and he seemed to agree with me that there is a security issue there.
I have just been looking around the forums and this fellow also seemed to share my concern - http://www.sitefinity.com/support/forums/support-forum-thread/b1043S-hgabk.aspx
Yes so maybe just the administrators role should be protected as the "system admin"
What do you think Bob?