I suppose a system administrator could create the user account, while the data owner can grant an authorization (a concept I strongly like). After some consideration, I think I'm also in reluctant agreement with the above (I really liked the simplicity of "CREATE/ALTER USER").
Under this user management model, API changes should include add/remove methods for auths, rather than simply setAuths. Also, the API should be robust enough to assign and manage data owners, on a per-authorization basis to make this change useful. The ability to grant an authorization should be based on that user's relationship to the authorization in question (eg. data owner), not based on a blanket permission to grant all authorizations.
My concerns under this model, though, remain:
1) if the data owner only grants authorizations to existing users rather than creating users themselves, then a trust relationship must exist between the data owner and the system administrator who created the user, so that the data owner can trust that the user to whom they are assigning auths (based on user name) is the correct user,
2) this trust relationship may add security assumptions to the API that users need to be aware of (imagine a user admin deleting an existing user with authorizations, and re-creating it with a new password that he/she knows), and
3) the separation of responsibilities for user management may add confusion to end users of the type that this ticket intends to avoid.