Hello! For standard cloud users (we do not use saml) I've just disabled all in Access control - Organization - Manage. Any user with this custom role can see list of other users, but can't do anything with them or create a new one.
Also, I think it's "Manage the System Organization settings" right.