Description of problem:
Setup a user assigned to a group not authorized to:
Login as that user, they can still see the Users and the Change Password link, changing the password fails, but the user shouldn't have access to other users at all. Same with Roles, user cannot make any edits, but they can still see all Roles and the Users assigned to them.
Version-Release number of selected component (if applicable):
we decided a while back that it was ok for all users to be able to see other users/roles in the system just in case they wanted to, for example, set up an alert definition that upon trigger would sent notifications to a list of users and/or a list of roles.
the old UI is going away for RHQ 4 and will be replaced with a new GWT-based one. we'll make sure to pay attention to authorization, and conditionally render links so that unauthorized users don't think they have the ability to change passwords.
Looks like Bug 786159 might address this as a feature.