diff --git a/news/1704.feature b/news/1704.feature
new file mode 100644
index 0000000000..f0208f02e3
--- /dev/null
+++ b/news/1704.feature
@@ -0,0 +1 @@
+Give Site Administrator permission to manage users. @wesleybl
diff --git a/src/plone/restapi/profiles/default/rolemap.xml b/src/plone/restapi/profiles/default/rolemap.xml
index d6fcc0d439..279cb6b688 100644
--- a/src/plone/restapi/profiles/default/rolemap.xml
+++ b/src/plone/restapi/profiles/default/rolemap.xml
@@ -9,6 +9,11 @@
     </permission>
     <permission name="plone.restapi: Access Plone user information" acquire="True">
       <role name="Manager"/>
+      <role name="Site Administrator"/>
+    </permission>
+    <permission name="Manage users" acquire="True">
+      <role name="Manager"/>
+      <role name="Site Administrator"/>
     </permission>
   </permissions>
 </rolemap>
diff --git a/src/plone/restapi/services/groups/configure.zcml b/src/plone/restapi/services/groups/configure.zcml
index 491f2f9a47..8fc7b6e3ec 100644
--- a/src/plone/restapi/services/groups/configure.zcml
+++ b/src/plone/restapi/services/groups/configure.zcml
@@ -8,7 +8,7 @@
       method="GET"
       factory=".get.GroupsGet"
       for="Products.CMFCore.interfaces.ISiteRoot"
-      permission="cmf.ManagePortal"
+      permission="plone.app.controlpanel.UsersAndGroups"
       name="@groups"
       />
 
@@ -16,7 +16,7 @@
       method="PATCH"
       factory=".update.GroupsPatch"
       for="Products.CMFCore.interfaces.ISiteRoot"
-      permission="cmf.ManagePortal"
+      permission="plone.app.controlpanel.UsersAndGroups"
       name="@groups"
       />
 
@@ -24,7 +24,7 @@
       method="POST"
       factory=".add.GroupsPost"
       for="Products.CMFCore.interfaces.ISiteRoot"
-      permission="cmf.ManagePortal"
+      permission="plone.app.controlpanel.UsersAndGroups"
       name="@groups"
       />
 
@@ -32,7 +32,7 @@
       method="DELETE"
       factory=".delete.GroupsDelete"
       for="Products.CMFCore.interfaces.ISiteRoot"
-      permission="cmf.ManagePortal"
+      permission="plone.app.controlpanel.UsersAndGroups"
       name="@groups"
       />
 
diff --git a/src/plone/restapi/services/roles/configure.zcml b/src/plone/restapi/services/roles/configure.zcml
index cec643c321..4dfd989234 100644
--- a/src/plone/restapi/services/roles/configure.zcml
+++ b/src/plone/restapi/services/roles/configure.zcml
@@ -7,7 +7,7 @@
       method="GET"
       factory=".get.RolesGet"
       for="Products.CMFPlone.interfaces.IPloneSiteRoot"
-      permission="cmf.ManagePortal"
+      permission="plone.app.controlpanel.UsersAndGroups"
       name="@roles"
       />
 
diff --git a/src/plone/restapi/services/users/add.py b/src/plone/restapi/services/users/add.py
index a032be99e2..151a15708f 100644
--- a/src/plone/restapi/services/users/add.py
+++ b/src/plone/restapi/services/users/add.py
@@ -244,7 +244,7 @@ def _error(self, status, _type, msgid):
     @property
     def can_manage_users(self):
         sm = getSecurityManager()
-        return sm.checkPermission("plone.app.controlpanel.UsersAndGroups", self.context)
+        return sm.checkPermission("Plone Site Setup: Users and Groups", self.context)
 
     @property
     def can_set_own_password(self):
diff --git a/src/plone/restapi/services/users/configure.zcml b/src/plone/restapi/services/users/configure.zcml
index e7d3505dec..b3c48ddaee 100644
--- a/src/plone/restapi/services/users/configure.zcml
+++ b/src/plone/restapi/services/users/configure.zcml
@@ -32,7 +32,7 @@
       method="DELETE"
       factory=".delete.UsersDelete"
       for="Products.CMFCore.interfaces.ISiteRoot"
-      permission="cmf.ManagePortal"
+      permission="plone.app.controlpanel.UsersAndGroups"
       name="@users"
       />
 
diff --git a/src/plone/restapi/services/users/get.py b/src/plone/restapi/services/users/get.py
index bef0c3ef0e..75fdf453be 100644
--- a/src/plone/restapi/services/users/get.py
+++ b/src/plone/restapi/services/users/get.py
@@ -153,11 +153,11 @@ def _get_filtered_users(self, query, groups_filter, search_term, limit):
 
     def has_permission_to_query(self):
         sm = getSecurityManager()
-        return sm.checkPermission("Manage portal", self.context)
+        return sm.checkPermission("Plone Site Setup: Users and Groups", self.context)
 
     def has_permission_to_enumerate(self):
         sm = getSecurityManager()
-        return sm.checkPermission("Manage portal", self.context)
+        return sm.checkPermission("Plone Site Setup: Users and Groups", self.context)
 
     def has_permission_to_access_user_info(self):
         sm = getSecurityManager()
diff --git a/src/plone/restapi/services/users/update.py b/src/plone/restapi/services/users/update.py
index c89dd0b03d..6fdcb20c4b 100644
--- a/src/plone/restapi/services/users/update.py
+++ b/src/plone/restapi/services/users/update.py
@@ -130,7 +130,7 @@ def reply(self):
     @property
     def can_manage_users(self):
         sm = getSecurityManager()
-        return sm.checkPermission("plone.app.controlpanel.UsersAndGroups", self.context)
+        return sm.checkPermission("Plone Site Setup: Users and Groups", self.context)
 
     @property
     def can_set_own_password(self):