The entity access check in Mendix is a bit misleading in this sense. It’s guiding but it’s not entirely correct and trying to resolve all yellow marked modules doesn’t necessarily IMPROVE your security.
Some entities are used by the application only, and in this case that entity requires no user roles to have access.
However this type or kind of entity doesn’t get excluded out of this entity security overview and the check that marks the module yellow.
In this case the entities: AuthenticateEnvironmentRequest, MendixSSOSettings, UserProfile, TokenRefreshResponse, AppRole and AuthRequest are examples of that.
MendixSSO is a module provided by Mendix with platform support and it’s maintained by one of the Mendix teams.
The module should not be altered in any way. As stated in the comment above the entity model
”Internal Implementation (do not change)”
This is generally the best practice by the way, to not alter any marketplace content modules, but instead extend them in your own modules, either through specializations or references.
I just found the answer. When adding the moduleSSO, there are entities that have no user role being able to, at least, read. What you have to do is, for example, give read access to the administrator role.
Done, security complete. I hope it helps
Check if there are other entities for which the access rules have not been setup for that module. That’s when Mendix will tell you that the module has incomplete entity access.
Hope this helps!