Why does User Management properties affect my read access?

I have a customer administrator role, and a super admin role. A customer admin role should be able to create accounts with only itself and lesser. Super admin should be able to create any account. With this logic in mind, i went Project security settings and tick the customer admin users managed accordingly, but when i go back to my app and try to create an account, i suddenly have no read access.   This was the error being thrown ‘com.mendix.webui.WebUIException: Applying change for 'System.UserRoles' of object with id '5348024557505965' (Administration.Account) failed for security reasons. No read access for changed member.’ My access rules for Administration.Account has read and write on customer admins.   The image below shows the thing that will give me the error IF i untick that (no user roles) thing. When i tick it, everything works as per normal. I’m trying to understand why would this affect read permissions when creating account? The image below shows what happens when i try to create an account with the (No user roles) unticked. There are unintended behaviours. For the user role, language and time zone, they belong to the System.User entity. I can click the drop-down and select the values, i can select a user-role, but after selection, the input select box shows blank (no read access). I wouldn’t know this. It is only when i attempt to submit or cancel, then the error is being thrown.   The image attached below shows when my role is a super admin, and no errors will be thrown, i can save successfully or cancel the pop up box.    Thank you for taking your team to read, i can provide more screenshots or additional information if needed!
2 answers

If you create a new user, it has no user role. That is why this happens, you don't have access to edit accounts that have no userrole if  you don't tick that box.


You should tick that box or create a microflow that creates the User object with a user role already in there.


I ran into a similar issue as Raphael describes, but for existing users. These users do have user roles, so the accepted answer is not relevant in this case I'd say.
My MxAdmin sees:


My minoradmin, with user management settings:


When I also check the "(No user roles)”and rerun the app, the minoradmin sees:


So it appears to me the algorithm that determines which user roles someone has “at most” also links a “No user roles” to everyone. (which is a bit strange imho)  

The given solution of checking the box works, but the explanation about new users in not all there is