Assign System module roles to user roles via MDL (resolve CE0156)

[ako]

Problem

CE0156 "User role should have at least one System module role" can only be resolved via the Studio Pro System module role GUI. There is no MDL way to assign System.* module roles (e.g. System.User, System.Administrator) to a user role.

Current behavior

User-role management (mdl/executor/cmd_security_write.go:190-303) supports CREATE [OR MODIFY] USER ROLE, ALTER USER ROLE ADD/REMOVE MODULE ROLES, DROP USER ROLE — but System module roles are not grantable through these paths. .claude/skills/mendix/manage-security.md:267 already notes this gap.

Request

Support granting/altering System module roles on user roles (e.g. ALTER USER ROLE <Name> ADD MODULE ROLES (System.User) if System roles can flow through the existing path, or a dedicated clause). Resolves CE0156 from MDL.

Full-stack touch points

• mdl/grammar/MDLParser.g4, mdl/ast/ast_security.go, mdl/visitor/visitor_security.go
• mdl/executor/cmd_security_write.go handler
• mdl/backend/security.go + mdl/backend/mpr/ (+ mock stub)
• .claude/skills/mendix/manage-security.md — document CE0156 resolution

Related

Companion to #7b (admin password). Same feedback item.

---

Source: customer feedback batch (2026-06). Reporter: Miwa. Reporter severity: 4/5.
Filed after codebase investigation at 297e0b0a.

[github-actions]

Issue Triage

Summary:
The issue requests the ability to grant System module roles (e.g., System.User) to user roles through MDL to resolve validation rule CE0156.

Checklist for feature request

Required info	Present?	Notes
Use case – why the feature is needed, what problem it solves	✅	Described: need to resolve CE0156 via MDL instead of Studio Pro GUI.
Proposed syntax or behavior (if applicable)	✅	Example: ALTER USER ROLE <Name> ADD MODULE ROLES (System.User) and mention of existing paths or a dedicated clause.
Mendix version relevance (if version‑specific)	❌	No explicit mention of which Mendix versions this applies to or any version constraints.

What’s missing
Please add information about the Mendix version(s) this feature should target (e.g., whether it applies to all recent Mendix releases, only 10.x+, etc.). If it’s version‑agnostic, a brief note confirming that would be helpful.

Next steps
Once the Mendix version relevance is added, the issue will be complete. Thank you for the detailed proposal!

---

Automated triage via OpenRouter — workflow source