Assigning roles to microflows (and pages) must only be done for client accessible microflows.

Meaning;

1. Connected to buttons
2. Client events such as on-change etc
3. Datasource microflows

Any other microflow mention by Praharaj Mahaprasad Tripathy should never have a role configured. Because then they would be directly accessible by a user, which should not be the case, since they are nested for a reason and thus require context.

Answering your question: no role configured = no role has access.

Sometimes microflows inherit the security of previous microflows (for example sub microflows usually do). Mendix handle these automatically as far as I know.

Hello Haiji Du,

Setting up “Allowed roles” to empty means no users have the priviledge/access to run this microflow. As a best practice and to keep our application opened only to authorized users, it is always advisable to set up “Allowed Roles” of a microflow correctly.

However there are certain instances where setting up an “Allowed roles” to none would still run the microflow successfully. Few of them are mentioned below:

1. When a microflow is called inside another microflow, then the sub-microflow need not have “Allowed roles” defined
2. When a microflow runs as part of a schedule event
3. When the Application Security Level is not set to Production

Hello Haiji Du,

Yes Indeed what you are saying is correct, any one can run that microflow. If no allowed rules are selected it will be displayed as none.

we usually do not select  roles for Sub Microflows, since they are used a generic one which can be triggered from multiple microflows having different set of Allowed roles.