Hey Martin, it's cool to see you approaching the community for suggestions here.
I can't speak for everyone's needs, but in my organization, the following roles could be helpful.
1) Administrator (Would remain the same as the current account administrator role)
2) Power User (Can activate/remove machines, modify policy, create tasks, etc, but NOT manage permissions)
3) Reporting (Can log into the cloud console to view systems, alerts, view virus chests, etc, but NOT manage permissions, change policy, or activate/remove machines)
Or another approach could be instead of pre-assigned roles, separate various components of the program into groups and allow us to explicitly allow each user access.
For instance, the following categories:
Manage Permissions
Manage Policies
Add/Remove/Activate Systems
Create Tasks
View Reports/Statistics
View Devices
And then each time we add a user, we can specify which of these categories they have access to.