It's a security best practice to only assign the abilities for the task a user needs to perform. It's possible to easily control what a user can do. Roles and abilities can be managed via the User settings page.
Roles
A role describes the main purpose of a user. By default, the following roles can be selected:
Administrator (has no limitations)
Editor (similar to admin, but can't manage users and permissions)
Viewer (can't make any changes)
Billing (for invoice and billing purposes)
It's possible the role you selected doesn't offer or restrict the abilities you would like. That's why you can create custom roles. Only custom roles can be edited.
You can create a new custom role and copy the abilities from an existing role.
When you delete a custom role, all users assigned to that role will be assigned the Administrator role. We recommend assigning users the new role before deleting the custom role.
Abilities
An ability specifies what a user can do. An ability has an action connected to it:
View [ability]
Create [ability]
Edit [ability]
Delete [ability]
You can replace [ability] with Users for example.
Assign a role
You can assign a role to a user when creating or editing a user. The create/edit form will ask you to select a role. The default role is Administrator, but you can select any role you like.