I have been assigned the 'Key Manager' role (Settings -> Permissions) and I do see the extra UI menu option 'Encryption'. However I don't get to see the extra tile/ranger-service for <cluster>_KMS at Resource Based policies to be able to edit key related policies. I still have to logon as user/identity 'keyadmin' to see the <cluster>_KMS tile in the Service Manager
I learned that for all the capabilities of keyadmin user one has to have the 'keyadmin' role assigned (User Profile / Select Role). Looks like the permission 'Key Manager' and the user role 'keyadmin' are 2 disconnected things. 'Key manager' enables nothing in the classical non-KMS. It is confusing as it promises some extra KMS functions whereas this is really coupled to the 'keyadmin' user role.
I suggest a user should be able to have both 'admin' and 'keyadmin' user roles as 2 alternatives available now are not very good:
1. All KMS admin interactions done by a group of people that have access to the credentials of user 'keyadmin'
2. Setup separate personal account for superadmins. One for doing normal Ranger things and one for doing keyadmin things