Tom is non-super user but has the Edit Roles option checked within his role, this is how the permissions list appear in the roles.yaml file:

  permissions:
    - 'cp:access'
    - resolve_duplicates
    - 'users:view'
    - 'users:edit'
    - 'users:create'
    - 'users:delete'
    - 'users:edit-passwords'
    - 'users:edit-roles'

When Tom logs in, how can he edit a role? When he clicks Users in the CP there is no dropdown for Groups or Roles, he can still view profiles, change passwords and all the other goodies but there seems to be no way to make use of the users:edit-roles permission :(