“Set Password” with a limited user

Question

I'm using MySQL 5.6. I want to have a limited service-user which is able to create/modify the users of my databases.

Now my problem is that I can quite figure out what privileges my service-user needs to perform all the user administration tasks (create user, grant/revoke db privileges, set password)

1. If I give him the global "create user" and "reload" privileges, he can't use "set password" [= MySQL Error: 1044 (Access denied)]

2. If I give him "select", "insert", "update" on 'mysql'.'user' and 'mysql'.'db', he can't use "set password" [= MySQL Error: 1044 (Access denied)]

3. If I give him "select", "insert", "update" on 'mysql'.*, he CAN use "set password"

I'd like to understand why this is happening, and how to achieve my approach 1 or 2. I don't want to use approach 3.

The "set password" equivalent

UPDATE mysql.user 
SET Password=PASSWORD('newpass') 
WHERE User='bob' 
AND Host='%'; 

...works with my privileges 1 and 2.

Can somebody help me out?