In our test instance of Canvas I tested the following scenario.

I created an admin role with the only purpose to create users, the permissions for the role was:

• Users - manage login details (which enables merge users)
• SIS Data - read
• Users - add / remove students in courses
• Users - add / remove teachers, course designers, or TAs in courses
• Users - view list
• Users - view login IDs
• Users - view primary email address

I then set the new role on a test user and logged in as this user for testing and it worked as I wanted, I could create users and enrol them to courses, I could change passwords for ordinary users but not for users with a admin role.

But then I tested to merge users and found out that I could create a new user, merge the new user with a admin user. I could then log in as the new user and get the full permissions of the merged admin user.

I would consider this as a security bug, the merge should not be permitted.