Default user role is restricted

Category

Security

Summary

Mendix applications can be configured with a default user role that is automatically granted to newly created users. Because this role is assigned to all new users without any explicit review, it is important that it carries only minimal privileges. This check verifies that the default user role is appropriately restricted, ensuring that newly created users cannot access sensitive data or perform privileged actions until a more specific role has been assigned to them.

Options

There are no options for this check.

Pass

The default user role meets all of the following conditions:

• The role cannot manage other users.

• The role is not permitted to access personal data.

• The role's maximum data access level is set to no higher than Level 2 (Internal).

Fail

The default user role fails one or more of the conditions above. Navigate to the data policy for this application, open the User Roles tab, and select the role assigned the Default User Role type. Verify that the role is not granted user management permissions, that Can access personal data is disabled, and that the role does not have access to module roles that grant access to data that is set to Level 3 (Restricted) or higher.

Note: If no user role has been assigned the Default User Role type in the data policy, this check cannot be evaluated. Ensure that the correct role is identified in the User Roles tab before running this check.