Hello,
In DHIS2 2.28 (build 7542585 dated 2018-11-21 02:20), and in the process of delegating parts of my superuser role to colleagues, i have created a user role to manage users with the bellow rights:
- Add/Remove Members In Read-Only User Groups
- Add/Update Private User Role
- Add/Update Public User Group
- Add/Update Public User Role
- Add/Update User
- Add/Update User Group Managing Relationships
- Add/Update User Within Managed Group
- Delete User
- Delete User Role
- Delete User Within Managed Group
- List User Roles
- Replicate user
- See User Maintenance module
- View User
- View User Group Managing Relationships
However, when a user that has the above mentioned user role can only access a subset of the users and not all. In addition to that, the user can edit only a few of the users not all:
The user role can also edit/manage user roles including but not limited to making themselves superuser and/or adding the ALL privilege (which is expected due to the above extensive rights’ list).
When the ALL privilege is assigned to the user role, the user can see the list of all the users and edit them all.
Is there anything i am missing?
Is this a bug?
Did you face something similar?
Looking forward to your help 
All the best,
Bernard.
P.S: the user has access to the root OrgUnit to search, data entry and analytics
Update: JIRA issue logged: [DHIS2-5817] - Jira