Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgManageController.java
===================================================================
diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgManageController.java	(.../OrgManageController.java)	(revision f2ad75cef0c507a64877942631fee13efbc6ed50)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/OrgManageController.java	(.../OrgManageController.java)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -29,6 +29,7 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.log4j.Logger;
 import org.lamsfoundation.lams.admin.web.form.OrgManageForm;
 import org.lamsfoundation.lams.security.ISecurityService;
 import org.lamsfoundation.lams.usermanagement.Organisation;
@@ -59,6 +60,7 @@
  */
 @Controller
 public class OrgManageController {
+    private static Logger log = Logger.getLogger(UserSaveController.class);
 
     @Autowired
     private ISecurityService securityService;
@@ -96,14 +98,15 @@
 	}
 
 	// check if user is allowed to view and edit groups
-	if (!request.isUserInRole(Role.SYSADMIN) && !(isRootOrganisation
-		? request.isUserInRole(Role.GROUP_ADMIN) || request.isUserInRole(Role.GROUP_MANAGER)
-		: securityService.hasOrgRole(orgId, userId, new String[] { Role.GROUP_ADMIN, Role.GROUP_MANAGER },
-			"manage courses", false))) {
+	if (!request.isUserInRole(Role.SYSADMIN) && !userManagementService.isUserGlobalGroupAdmin()
+		&& !(isRootOrganisation
+			? request.isUserInRole(Role.GROUP_ADMIN) || request.isUserInRole(Role.GROUP_MANAGER)
+			: securityService.hasOrgRole(orgId, userId,
+				new String[] { Role.GROUP_ADMIN, Role.GROUP_MANAGER }, "manage courses", false))) {
 	    response.sendError(HttpServletResponse.SC_FORBIDDEN, "User is not a manager or admin in the organisation");
 	    return null;
 	}
-
+	
 	// get number of users figure
 	// TODO use hql that does a count instead of getting whole objects
 	int numUsers = org == rootOrganisation ? userManagementService.getCountUsers()
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserManageController.java
===================================================================
diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserManageController.java	(.../UserManageController.java)	(revision f2ad75cef0c507a64877942631fee13efbc6ed50)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserManageController.java	(.../UserManageController.java)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -101,12 +101,20 @@
 	if (request.isUserInRole(Role.SYSADMIN) || (userManagementService.isUserGlobalGroupAdmin() && !orgId.equals(rootOrgId))) {
 	    userManageForm.setCourseAdminCanAddNewUsers(true);
 	    userManageForm.setCourseAdminCanBrowseAllUsers(true);
+	    userManageForm.setCanEditRole(true);
 	    request.setAttribute("canDeleteUser", true);
-	} else if ((userManagementService.isUserInRole(userId, orgOfCourseAdmin.getOrganisationId(), Role.GROUP_ADMIN)
-		|| userManagementService.isUserInRole(userId, orgOfCourseAdmin.getOrganisationId(), Role.GROUP_MANAGER))
+	} else if (userManagementService.isUserInRole(userId, orgOfCourseAdmin.getOrganisationId(), Role.GROUP_MANAGER)
 		&& !orgId.equals(rootOrgId)) {
 	    userManageForm.setCourseAdminCanAddNewUsers(orgOfCourseAdmin.getCourseAdminCanAddNewUsers());
 	    userManageForm.setCourseAdminCanBrowseAllUsers(orgOfCourseAdmin.getCourseAdminCanBrowseAllUsers());
+	    userManageForm.setCanEditRole(true);
+	    request.setAttribute("canDeleteUser", false);
+	} else if (userManagementService.isUserInRole(userId, orgOfCourseAdmin.getOrganisationId(), Role.GROUP_ADMIN)
+		&& !orgId.equals(rootOrgId)) {
+	    userManageForm.setCourseAdminCanAddNewUsers(orgOfCourseAdmin.getCourseAdminCanAddNewUsers());
+	    userManageForm.setCourseAdminCanBrowseAllUsers(orgOfCourseAdmin.getCourseAdminCanBrowseAllUsers());
+	    userManageForm.setCanEditRole(false);
+	    request.setAttribute("canDeleteUser", false);
 	} else {
 	    return forwardError(request, "error.authorisation");
 	}
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java
===================================================================
diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java	(.../UserOrgSaveController.java)	(revision f2ad75cef0c507a64877942631fee13efbc6ed50)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserOrgSaveController.java	(.../UserOrgSaveController.java)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -35,10 +35,14 @@
 import org.apache.log4j.Logger;
 import org.lamsfoundation.lams.admin.web.form.UserOrgForm;
 import org.lamsfoundation.lams.usermanagement.Organisation;
+import org.lamsfoundation.lams.usermanagement.OrganisationType;
 import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.UserOrganisation;
+import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
 import org.lamsfoundation.lams.usermanagement.service.IUserManagementService;
+import org.lamsfoundation.lams.web.session.SessionManager;
+import org.lamsfoundation.lams.web.util.AttributeNames;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.ModelAttribute;
@@ -62,6 +66,41 @@
 	Integer orgId = userOrgForm.getOrgId();
 	request.setAttribute("org", orgId);
 
+	boolean canEditRole = false;
+	
+	// sysadmin, global course admins can add/change users and their roles.
+	// course manager can add existing users in any role except sysadmin
+	// course admin can add existing users but only as learner
+	Integer rootOrgId = userManagementService.getRootOrganisation().getOrganisationId();
+	if (request.isUserInRole(Role.SYSADMIN) || (userManagementService.isUserGlobalGroupAdmin() && !orgId.equals(rootOrgId))) {
+	    canEditRole = true;
+	} else {
+	    
+	    Integer loggeduserId = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
+	    Organisation organisation = (Organisation) userManagementService.findById(Organisation.class, orgId);
+	    if (organisation == null) {
+		String message = "Adding users to organisation: No permission to access organisation " + orgId;
+		log.error(message);
+		response.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+		return null;
+	    }
+	    if (organisation.getOrganisationType().getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) {
+		organisation = organisation.getParentOrganisation();
+	    }
+	    if (userManagementService.isUserInRole(loggeduserId, organisation.getOrganisationId(), Role.GROUP_MANAGER)
+		    && !orgId.equals(rootOrgId)) {
+		canEditRole = true;
+	    } else if (userManagementService.isUserInRole(loggeduserId, organisation.getOrganisationId(),
+		    Role.GROUP_ADMIN) && !orgId.equals(rootOrgId)) {
+		canEditRole = false;
+	    } else {
+		String message = "Adding users to organisation: No permission to access organisation " + orgId;
+		log.error(message);
+		response.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+		return null;
+	    }
+	}
+	
 	if (rolelist == null) {
 	    rolelist = userManagementService.findAll(Role.class);
 	}
@@ -90,7 +129,7 @@
 	    }
 	}
 	// add UserOrganisations that are in form data
-	List newUserOrganisations = new ArrayList();
+	List<UserOrganisation> newUserOrganisations = new ArrayList<UserOrganisation>();
 	for (int i = 0; i < userIdList.size(); i++) {
 	    Integer userId = new Integer(userIdList.get(i));
 	    Iterator iter2 = uos.iterator();
@@ -116,6 +155,13 @@
 	if (newUserOrganisations.isEmpty()) {
 	    log.debug("no new users to add to orgId=" + orgId);
 	    return "redirect:/usermanage.do?org=" + orgId;
+	} else if ( !canEditRole ){
+	    // course admin can only setup learners
+	    log.debug("adding new users as learners to orgId=" + orgId);
+	    for ( UserOrganisation uo : newUserOrganisations ) {
+		    userManagementService.setRolesForUserOrganisation(uo.getUser(), orgId, Arrays.asList(Role.ROLE_LEARNER.toString()));
+	    }
+	    return "redirect:/usermanage.do?org=" + orgId;
 	} else {
 	    request.setAttribute("roles", userManagementService.filterRoles(rolelist, request.isUserInRole(Role.SYSADMIN),
 		    organisation.getOrganisationType()));
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesController.java
===================================================================
diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesController.java	(.../UserRolesController.java)	(revision f2ad75cef0c507a64877942631fee13efbc6ed50)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserRolesController.java	(.../UserRolesController.java)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -147,7 +147,7 @@
 		i++;
 	    }
 	} else {
-	    errorMap.add("roles", messageService.getMessage("msg.add.to.org", org.getName()));
+	    errorMap.add("roles", messageService.getMessage("msg.add.to.org", new Object[] { org.getName() }));
 	    request.setAttribute("errorMap", errorMap);
 	}
 	userRolesForm.setRoles(roles);
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java
===================================================================
diff -u -rf2ad75cef0c507a64877942631fee13efbc6ed50 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java	(.../UserSaveController.java)	(revision f2ad75cef0c507a64877942631fee13efbc6ed50)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/controller/UserSaveController.java	(.../UserSaveController.java)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -23,6 +23,7 @@
 
 package org.lamsfoundation.lams.admin.web.controller;
 
+import java.util.Arrays;
 import java.util.Date;
 
 import javax.servlet.http.HttpServletRequest;
@@ -35,6 +36,9 @@
 import org.lamsfoundation.lams.security.ISecurityService;
 import org.lamsfoundation.lams.themes.Theme;
 import org.lamsfoundation.lams.usermanagement.AuthenticationMethod;
+import org.lamsfoundation.lams.usermanagement.Organisation;
+import org.lamsfoundation.lams.usermanagement.OrganisationType;
+import org.lamsfoundation.lams.usermanagement.Role;
 import org.lamsfoundation.lams.usermanagement.SupportedLocale;
 import org.lamsfoundation.lams.usermanagement.User;
 import org.lamsfoundation.lams.usermanagement.dto.UserDTO;
@@ -78,13 +82,42 @@
 	// action input
 	Integer orgId = userForm.getOrgId();
 	Integer userId = userForm.getUserId();
-	Integer loggeduserId = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
 
-	// check if logged in User is Sysadmin
-	if (!securityService.isSysadmin(loggeduserId, "Edit User Details " + userId, true)) {
-	    response.sendError(HttpServletResponse.SC_FORBIDDEN, "Only Sysadmin has edit permisions");
-	    return null;
+	boolean canEditRole = false;
+
+	// sysadmin, global course admins can add/change users and their roles.
+	// course manager can add/change users and their roles iff CourseAdminCanAddNewUsers
+	// course admin can add/change users but only set role to learner iff CourseAdminCanAddNewUsers
+	Integer rootOrgId = userManagementService.getRootOrganisation().getOrganisationId();
+	if (request.isUserInRole(Role.SYSADMIN) || userManagementService.isUserGlobalGroupAdmin() ) {
+	    canEditRole = true;
+	} else {
+	    
+	    Integer loggeduserId = ((UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER)).getUserID();
+	    Organisation organisation = (Organisation) userManagementService.findById(Organisation.class, orgId);
+	    if (organisation == null) {
+		String message = "No permission to access organisation " + orgId;
+		logErrorMessage(userId, message);
+		response.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+		return null;
+	    }
+	    if (organisation.getOrganisationType().getOrganisationTypeId().equals(OrganisationType.CLASS_TYPE)) {
+		organisation = organisation.getParentOrganisation();
+	    }
+	    if (userManagementService.isUserInRole(loggeduserId, organisation.getOrganisationId(), Role.GROUP_MANAGER)
+		    && !orgId.equals(rootOrgId)) {
+		canEditRole = true;
+	    } else if (userManagementService.isUserInRole(loggeduserId, organisation.getOrganisationId(),
+		    Role.GROUP_ADMIN) && !orgId.equals(rootOrgId)) {
+		canEditRole = false;
+	    } else {
+		String message = "No permission to edit user in organisation " + orgId;
+		logErrorMessage(userId, message);
+		response.sendError(HttpServletResponse.SC_FORBIDDEN, message);
+		return null;
+	    }
 	}
+
 	UserDTO sysadmin = (UserDTO) SessionManager.getSession().getAttribute(AttributeNames.USER);
 
 	log.debug("orgId: " + orgId);
@@ -190,9 +223,6 @@
 		    user.setPassword(passwordHash);
 		    log.debug("creating user... new login: " + user.getLogin());
 		    if (errorMap.isEmpty()) {
-			// TODO set theme according to user input
-			// instead of server default.
-			user.setTheme(userManagementService.getDefaultTheme());
 			user.setDisabledFlag(false);
 			user.setCreateDate(new Date());
 			user.setAuthenticationMethod((AuthenticationMethod) userManagementService
@@ -201,7 +231,11 @@
 			user.setUserId(null);
 			user.setLocale(locale);
 
-			Theme theme = (Theme) userManagementService.findById(Theme.class, userForm.getUserTheme());
+			Theme theme = null;
+			if ( userForm.getUserTheme() != null )
+				theme = (Theme) userManagementService.findById(Theme.class, userForm.getUserTheme());
+			if ( theme == null )
+			    theme = userManagementService.getDefaultTheme();
 			user.setTheme(theme);
 
 			userManagementService.saveUser(user);
@@ -216,12 +250,18 @@
 	}
 
 	if (errorMap.isEmpty()) {
-	    if ((orgId == null) || (orgId == 0)) {
+	    if ((orgId == null) || (orgId == 1)) {
 		return "forward:/usersearch.do";
 	    }
-	    if (edit) {
+	    if ( !edit && !canEditRole) {
+		// Course Admin created new learner
+		userManagementService.setRolesForUserOrganisation(user, orgId, Arrays.asList(Role.ROLE_LEARNER.toString()));
 		request.setAttribute("org", orgId);
 		return "forward:/usermanage.do";
+	    } 
+	    else if (edit) {
+		request.setAttribute("org", orgId);
+		return "forward:/usermanage.do";
 	    } else {
 		request.setAttribute("orgId", orgId);
 		request.setAttribute("userId", user.getUserId());
@@ -234,7 +274,17 @@
 	}
     }
 
-    @RequestMapping(path = "/changePass")
+    private  void  logErrorMessage(Integer userId, String message) {
+	String fullError = null;
+	if ( userId != null ) {
+	    fullError =  new StringBuilder("Updating user ").append(userId).append(": ").append(message).toString();
+	} else {
+	    fullError =  new StringBuilder("Creating new user:  ").append(message).toString();
+	}
+	log.error(fullError);
+    }
+
+    @RequestMapping(path = "/changePass") 
     public String changePass(@ModelAttribute UserForm userForm, HttpServletRequest request,
 	    HttpServletResponse response) throws Exception {
 
Index: lams_admin/src/java/org/lamsfoundation/lams/admin/web/dto/UserListDTO.java
===================================================================
diff -u -r7475d08afc280b5e2e5ddf04e8bf35e3166aaf80 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/src/java/org/lamsfoundation/lams/admin/web/dto/UserListDTO.java	(.../UserListDTO.java)	(revision 7475d08afc280b5e2e5ddf04e8bf35e3166aaf80)
+++ lams_admin/src/java/org/lamsfoundation/lams/admin/web/dto/UserListDTO.java	(.../UserListDTO.java)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -39,6 +39,7 @@
     private Boolean courseAdminCanAddNewUsers;
     private Boolean courseAdminCanBrowseAllUsers;
     private Boolean canResetOrgPassword;
+    private Boolean canEditRole;
 
     public List<UserManageBean> getUserManageBeans() {
 	return userManageBeans;
@@ -88,4 +89,12 @@
 	this.canResetOrgPassword = canResetOrgPassword;
     }
 
+    public Boolean getCanEditRole() {
+        return canEditRole;
+    }
+
+    public void setCanEditRole(Boolean canEditRole) {
+        this.canEditRole = canEditRole;
+    }
+
 }
\ No newline at end of file
Index: lams_admin/web/organisation/list.jsp
===================================================================
diff -u -r62aaf160878735888d077bf28fac3c1989bb8fbd -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/web/organisation/list.jsp	(.../list.jsp)	(revision 62aaf160878735888d077bf28fac3c1989bb8fbd)
+++ lams_admin/web/organisation/list.jsp	(.../list.jsp)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -129,8 +129,10 @@
 				<form>
 				
 				<div class="btn-group btn-group-sm">
-					<a id="userCreate" class="btn btn-default" href="user/edit.do"><i class="fa fa-user-plus"></i> <fmt:message key="admin.user.create"/></a>
+					<c:if test="${createGroup == true}">
+					<a id="userCreate" class="btn btn-default" href="user/edit.do?orgId=1"><i class="fa fa-user-plus"></i> <fmt:message key="admin.user.create"/></a>
 					<a id="findUsers" class="btn btn-default" href="usersearch.do"><i class="fa fa-search"></i> <fmt:message key="admin.user.find"/></a>
+					</c:if>
 					
 					<c:if test="${manageGlobalRoles == true}">
 						<a id="manageGlobalRoles" class="btn btn-default" href="usermanage.do?org=<c:out value="${orgManageForm.parentId}"/>"><i class="fa fa-globe"></i> <fmt:message key="admin.global.roles.manage" /></a>
Index: lams_admin/web/userlist.jsp
===================================================================
diff -u -r7525e7b5fda723cc9c2c81a78cd8be3785bad851 -rb5d493f6a41f8161b6a62a0cea53e78e069bac36
--- lams_admin/web/userlist.jsp	(.../userlist.jsp)	(revision 7525e7b5fda723cc9c2c81a78cd8be3785bad851)
+++ lams_admin/web/userlist.jsp	(.../userlist.jsp)	(revision b5d493f6a41f8161b6a62a0cea53e78e069bac36)
@@ -171,8 +171,10 @@
 						    </small>
 						</td>
 						<td>
-								<a href="<lams:LAMSURL/>admin/userroles.do?userId=<c:out value="${userManageBean.userId}" />&orgId=<c:out value="${userManageForm.orgId}"/>"><fmt:message key="admin.user.assign.roles"/></a>
-								&nbsp;
+								<c:if test="${userManageForm.canEditRole == true }">
+									<a href="<lams:LAMSURL/>admin/userroles.do?userId=<c:out value="${userManageBean.userId}" />&orgId=<c:out value="${userManageForm.orgId}"/>"><fmt:message key="admin.user.assign.roles"/></a>
+									&nbsp;
+								</c:if>
 								<c:if test="${userManageForm.courseAdminCanAddNewUsers == true }">
 									<a href="<lams:LAMSURL/>admin/user/edit.do?userId=<c:out value="${userManageBean.userId}" />&orgId=<c:out value="${userManageForm.orgId}"/>"><fmt:message key="admin.edit" /></a>
 									&nbsp;