I think there's a problem with user management in Mendix that affects nearly all apps.
A manager needs to see a list of engineers (in a grid and/or in dropdowns), but he is not allowed to change their user roles.
To make the engineers visible for the manager, the manager needs user management rights for engineers (a checked checkbox at "Users with this user role can manage users with at most the following user roles"). But that also gives the permission to change their user roles and commit that, even when the Account object is fully read-only for Manager.
It's a problem that the UserRoles objects are only accessible with the "manages" permission checkbox checked, and then they are editable too. I notice that in many apps a security hole is created by just granting all the rights to get the app working.
I'd welcome a redesign to make this work well out-of-the box.