In order to reduce requests to our small admin team, we create a custom user role that allows a minimal number of users in each workspace to add users to Octane and provide the appropriate permissions. The issue we constantly run into, is that those users can provide any permissions, even Workspace and Space admin permissions to any user including themselves.
This poses a risk as we don't want users to have Workspace Admin or Space admin capabilities. These permissions should be hierarchical so those users with our custom "Project Admin" permissions can't apply higher level permissions to themselves or other users. At the very least we should be able to create business rules that will allow us to block certain roles from doing these things where there are no permission options. We cannot currently add business rules for administrative purposes.
In our case, we had to roll back those permissions so they cannot add or edit users, this creates additional work for our users because they now have to create tickets for our team to add/edit users, and creates additional work for our team in order to add/edit those users.
Indeed there is no way currently to manage hierarchy of the roles, however, only shared space admin can assign Space Admin permissions to users.
note also that you can customize the workspace admin role according to the permissions allowed to users at workspace level and disable other permissions that will be done by space admin.
In any case, As the requested functionality indeed is not available for Octane and the use case is clear, i will open this request for votes,