Sometime around San Diego they added this 'reset password' button, which generates a random password that you can provide to user and then they can select their own password.  It appears this button only is available for 'admin'.  In the past we were able to assign 'user_admin' to people and they could help with password resets.

I do not see the logic of giving some T1 support guy administrative rights to all of Prod just so they can reset passwords.  Seems that 'user_admin' was created for this, but they forgot about it when upgrading the password functionality.

Anyone else run into this and have any best practice for giving 'user_admin' or some role access to password resets, but not other admin functionality.

I changed the security on the 'set password' ui action to allow user_admin, but the pop up still shows issues with security.  I think I probably need to modify something in the widget, but I wanted to make sure I wasn't missing another option.  This seems like an obvious need and I wouldn't have expected to do any customization to meet that need (maybe configuration).