Module roles in my modules vs module roles in Administration module
Within my modules, I have added an extra role – staff. Staff can generally do what administrators can do with regard to customers but they can’t add / edit staff (except themselves). When I log in as staff member and list all of accounts in the system (admin, staff, customers), the list view gives me all of the users but with most of the attributes missing and there is an error message in the log – the key bit is (I think) is Caused by: com.mendix.basis.objectmanagement.member.MemberAccessDeniedException: Read access denied for member 'System.UserRoles' of object 'Administration.Account' When I list just the customers, I get an empty list – the list is filtered on an xpath of [System.UserRoles = '[%UserRole_Contractor%]'], and that makes sense because I guess it does not have access to system.userroles (though no log message in this case). So, finally getting to my question (!!) – do I need to add a module role of staff to the Administration module security and add staff to the entity access rules? And if I do that, does that mean System security needs to change (which I thought was an absolute no no) and that leads me to a very dark rabbit hole. And if not the above then what is the default way of adding a role that is not as powerful as admin but more powerful than user? I have added the Module Roles that are selected for the staff user role. Notice that I have set Administration.Adminstrator and System.Adminsitrator. They were previously set to User for both System and Administration. Changing them made no difference to the output for a staff memeber.