# User Roles The User Roles tab is where you review and validate the user roles defined in your Mendix application. For each role you must confirm a set of required settings before it can be marked as validated. These settings are used by AppControl's policy checks to evaluate whether your application's security configuration is appropriate. The left panel lists all user roles in your application. Roles showing a warning icon still require validation. Roles showing a green checkmark have been validated. *** **Validating a user role** Select a user role from the left panel to open its detail view. If the role has not yet been validated, you will see a notice prompting you to review and confirm the settings before proceeding. Once all required fields are filled in, click Mark as validated in the top right corner. *** **Settings to confirm** Each user role requires the following settings to be configured before it can be validated. User role type — Identifies the nature of the role to AppControl. This is required for security checks performed by app policies. The available types are: * System Administrator Role: The system administrator role as defined in your Mendix application. This type is detected automatically and cannot be changed. * Anonymous User Role: The role assigned to unauthenticated (anonymous) users. This type is detected automatically and cannot be changed. * Default User Role: The role automatically granted to newly created users. Only one user role in your application can be assigned this type. * Admin Role: Use this for roles with administrative privileges, such as managing other users or controlling access to important application data or functions. * User Role: Use this for all other non-administrative roles. Max data access level — The highest classification level that this user role should be permitted to access. This is checked against your data classifications to identify potential over-exposure. Can access personal data — Enable this if the role is permitted to view personal data belonging to other users. If left off, the role is expected to only access its own personal data or none at all. *** **Additional role information** The lower section of the detail view is read-only and shows additional information about the role drawn from your Mendix security configuration. User management — Shows whether the role can manage all users or manage users without a role assigned. Manageable roles — Shows which other user roles this role is permitted to manage. If no manageable roles are configured, this section will show that the user cannot manage other roles. Module roles — Lists the module roles that are mapped to this user role, along with their validation status. This gives you an overview of which underlying access rules are in effect for this role. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.bluestorm.io/administration/policies/data/user-roles.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.