You cannot change the default settings of the userrole/module role access rules.
If you want a administrator function to handle certain settings, this will result in an own built solution. i.e. a config entity with enum type attributes with values; read, write and none. Config page for the administrator, where these values can be set for a group or single account.
I'm not how far the Mendix SDK would support what you want. From what I know you can only read/write objects, so not create entire new module roles or such. But I would never directly use the system database. The last thing is very error-prone with id's and such.
Maybe this widget would help you to achieve what you want.