Give read access to member Name of object System.UserRole to role User

Hi, I am trying to display the list of roles as a dropdown in a reference selector. I want the user to be able to select any one role from the list. But when trying to display the list to User, it gives the following error. com.mendix.core.objectmanagement.SecurityRuntimeException: Read access denied for member 'Name' of object 'System.UserRole'   I tried to give read access to all users for this attribute but the domain model of System module is not editable.  How can I give read access to all users for this attribute?   Thank
2 answers

Euh.... so you want to allow an user to change its own role. Nice security feature.

As you might grab from above, thats a really bad idea. 

1. You cannot change the security access Rules in the system module ( its for a reason;-) )

2. You can assign a userrole to "manage users with at least the following roles" this will allow a user to use, select and manage that role(s) <my advise, don't use it


So basically; rethink the needs of the app



You want that users can filter certain type of users.

My advise is to NOT use the User and/or Account entity for the other then account handling/login of users. All process details of an app user should be stored in a separated entity, with a 1-1 reference to the Account entity.

For example you have a list of employees using the app. User contains their Username, password and reference to a role. This is ONLY for authentication when accessing the application. The employee details used in the app, such as full name, function, email address etc. should be part of the entity Employee, which has a reference to the account entity.


You make a valid point: why are we not able to just set read access to the user roles of other accounts so we can display, say, other same role accounts?


It feels weird to say that users are managing each other to achieve this goal (associating something to their Account without having the right to change their user roles etc.).

You don't want to manage their user, but just their account.