# System administrator role is restricted

<table><thead><tr><th width="138">Check ID</th><th>APP_0008</th></tr></thead><tbody><tr><td>Category</td><td>Security</td></tr><tr><td>Summary</td><td><p>Mendix applications have a system administrator role that is used for platform-level administration tasks. While this role requires elevated privileges to manage the application, it should not have broad access to business data. Keeping the system administrator role restricted to its intended purpose limits the risk of data exposure in the event that an administrator account is compromised or misused.</p><p></p><p>This check verifies that the system administrator role is scoped appropriately and does not carry unnecessary data access privileges.</p></td></tr><tr><td>Options</td><td>This check does not have any options.</td></tr><tr><td>Pass</td><td><p>The system administrator role meets all of the following conditions:</p><p></p><ul><li>The role can only manage users who have no roles assigned.</li><li>The role is not permitted to access personal data.</li><li>The role's maximum data access level is set to no higher than Level 2 (Internal).</li><li>The role has only the module roles System.Administrator and Administration.Administrator assigned to it.</li></ul></td></tr><tr><td>Fail</td><td><p>The system administrator role fails one or more of the conditions above. Navigate to the data policy for this application, open the User Roles tab, and select the role identified as the System Administrator Role. Verify that user management is limited to users without roles, that Can access personal data is disabled, that the maximum data access level is set to Level 2 (Internal) or lower, and that no module roles other than System.Administrator and Administration.Administrator are mapped to this role.</p><p></p><p>Assigning additional module roles to the system administrator role is a common source of unintended data access. If your application has business module roles mapped to this role, consider creating a separate administrative user role for those purposes instead.</p><p></p><p>Note: The system administrator role is detected automatically by AppControl based on your Mendix security configuration. If this role does not appear correctly in the User Roles tab, verify that your application's security settings are complete and that the data policy has been fully validated.</p></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluestorm.io/checks/app/app_0008.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.