Module Roles and User Roles

Mendix security uses a two-tier role system. Module roles define permissions within a single module. User roles aggregate module roles across the entire project.

Module Roles

A module role represents a set of permissions within a module. Entity access rules, microflow access, and page access are all granted to module roles.

CREATE MODULE ROLE

CREATE MODULE ROLE <Module>.<Role> [DESCRIPTION '<text>'];

Examples:

CREATE MODULE ROLE Shop.Admin DESCRIPTION 'Full administrative access';
CREATE MODULE ROLE Shop.User DESCRIPTION 'Standard customer-facing role';
CREATE MODULE ROLE Shop.Viewer;

DROP MODULE ROLE

DROP MODULE ROLE Shop.Viewer;

Listing Module Roles

SHOW MODULE ROLES;
SHOW MODULE ROLES IN Shop;

User Roles

A user role is a project-level role assigned to end users at login. Each user role includes one or more module roles, granting the user the combined permissions of all included module roles.

CREATE USER ROLE

CREATE USER ROLE <Name> (<Module>.<Role> [, ...]) [MANAGE ALL ROLES];

The MANAGE ALL ROLES option allows users with this role to assign any user role to other users (typically for administrators).

Examples:

-- Administrator with management rights
CREATE USER ROLE AppAdmin (Shop.Admin, System.Administrator) MANAGE ALL ROLES;

-- Regular user
CREATE USER ROLE AppUser (Shop.User);

-- Read-only viewer
CREATE USER ROLE AppViewer (Shop.Viewer);

ALTER USER ROLE

Add or remove module roles from an existing user role:

ALTER USER ROLE AppAdmin ADD MODULE ROLES (Reporting.Admin);
ALTER USER ROLE AppUser REMOVE MODULE ROLES (Shop.Viewer);

DROP USER ROLE

DROP USER ROLE AppViewer;

Listing User Roles

SHOW USER ROLES;

Typical Setup

A common pattern is to create module roles first, then compose them into user roles:

-- 1. Module roles
CREATE MODULE ROLE Shop.Admin DESCRIPTION 'Full shop access';
CREATE MODULE ROLE Shop.User DESCRIPTION 'Standard shop access';
CREATE MODULE ROLE Reporting.Viewer DESCRIPTION 'View reports';

-- 2. User roles
CREATE USER ROLE Administrator (Shop.Admin, Reporting.Viewer, System.Administrator) MANAGE ALL ROLES;
CREATE USER ROLE Employee (Shop.User, Reporting.Viewer);
CREATE USER ROLE Guest (Shop.User);

See Also

• Security – overview of the security model
• Entity Access – granting CRUD permissions to module roles
• Document Access – granting microflow and page access
• GRANT / REVOKE – the GRANT and REVOKE statements
• Demo Users – creating test accounts with user roles