This configuration affects access for delegated developers that are updating user roles through script. When the configuration is compliant, the developer will not be able to update or insert records into the sys_user_has_role table without also having the user_admin role.

The value of this property affects whether a delegated developer is allowed to grant or receive unexpected access to functionality in the instance. When the property contains roles, only those roles may execute script modules.

More information

Attribute	Description
Property name	com.glide.sys.security.delegateddev.block_grant_roles
Configuration type	System Properties (/sys_properties_list.do)
Category	Access control
Purpose	The value of this property affects whether a delegated developer is allowed to grant or receive unexpected access to functionality in the instance.
Type	toggle switch
Default value	true
Recommended value	true
Security Dependencies	none
Security risk rating	6.7
Functional impact	When a user with the delegated_developer role is attempting to modify a record in the sys_user_has_role table, this property enables additional security checks against the operation. The additional security checks validate that the user has been granted the user_admin role if they're trying to create or update the sys_user_has_role table. If they do not have the user_admin role, the access will be denied. When the property is false, these additional checks are not validated.
Security risk	(Moderate) Without appropriate authorization, unauthorized users may access sensitive content/data on the instance.
References	Access control

To learn more about adding or creating a system property, see Add a system property.