Hi!
In Mendix user roles en module roles are defnied at design time. At runtime you can’t change the role configuration anymore. In runtime you can only assign user roles to users. The roles define which pages and microflows you have access to.
See https://docs.mendix.com/refguide/security/
At the entity level you can apply xpath constraints to limit the data a user is allowed to see based on data in your database. https://docs.mendix.com/refguide/module-security/
In theory it is possible to add an extra layer by carefully placing decisions at the start of each microflow, but it is very hard to get this watertight. If you forget a check in one of the microflows, you immediately have a security breach. So in general this is only recommended in very specific cases,
I hope this helps.