# Default user role is restricted

<table><thead><tr><th width="138">Check ID</th><th>APP_0015</th></tr></thead><tbody><tr><td>Category</td><td>Security</td></tr><tr><td>Summary</td><td>Mendix applications can be configured with a default user role that is automatically granted to newly created users. Because this role is assigned to all new users without any explicit review, it is important that it carries only minimal privileges. This check verifies that the default user role is appropriately restricted, ensuring that newly created users cannot access sensitive data or perform privileged actions until a more specific role has been assigned to them.</td></tr><tr><td>Options</td><td>There are no options for this check.</td></tr><tr><td>Pass</td><td><p>The default user role meets all of the following conditions:</p><p></p><ul><li>The role cannot manage other users.</li><li>The role is not permitted to access personal data.</li><li>The role's maximum data access level is set to no higher than Level 2 (Internal).</li></ul></td></tr><tr><td>Fail</td><td><p>The default user role fails one or more of the conditions above. Navigate to the data policy for this application, open the User Roles tab, and select the role assigned the Default User Role type. Verify that the role is not granted user management permissions, that Can access personal data is disabled, and that the role does not have access to module roles that grant access to data that is set to Level 3 (Restricted) or higher.</p><p></p><p>Note: If no user role has been assigned the Default User Role type in the data policy, this check cannot be evaluated. Ensure that the correct role is identified in the User Roles tab before running this check.</p></td></tr></tbody></table>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.bluestorm.io/checks/app/app_0016.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.