There should be a permission for assigning Custom Roles

(User Story, Closed -> Fixed, Priority: Critical, Test Status: No automated tests yet , Reported By Justin du Coeur, )
Security
Summary: This is needed for Arisia: Staff Services should be able to designate people as "Staff", and that should be a Custom Role since it has UI implications.
This implies that we need to make a realer Can Manage Sharing permission. Ultimately this should allow access to the Sharing page, but in the short term we should create _addRole() and _removeRole() functions that are gated by this permission.