Is your feature request related to a problem? Please describe.

Right now, there's just a global "edit" permission for com_users, meaning that if you want to allow someone to edit users, you also have to allow them to edit groups and view levels, which obviously isn't always wanted as a security implication in terms of ACL is associated to that.

Describe the solution you'd like

We should split up the "com_users" ACL right into multiple rights, just like we do in the rest of the CMS:

Tasks:

• split up com_users into com_users.users, com_users.groups, com_users.viewlevels
• adjust permission level checks (so far checking for com_users) throughout the system
• update default permissions to make sure that groups and viewlevels is allowed for Super Admins only
• figure out a 3.x to 4.x migration path

Additional context

JSST had an internal discussion about this topic, but as the current behavior is "by design" and any change would be a b/c break, we decided to open a ticket in the public tracker instead of handling it in a security release.