This configuration affects access for delegated developers that are updating user roles through script. When the configuration is compliant, the developer will not be able to update or insert records into the table sys_user_has_role without also the user_admin role.

The value of this property affects whether a delegated developer is allowed to grant or receive unexpected access to functionality in the instance. When the property contains roles, only those roles may execute script modules.

More information

Attribute	Description
Property name	com.glide.sys.security.delegateddev.block_grant_roles
Configuration type	System Properties (/sys_properties_list.do)
Configure in Instance Security Center	Yes
Purpose	The value of this property affects whether a delegated developer is allowed to grant or receive unexpected access to functionality in the instance.
Type	toggle switch
Recommended value	true
Security Dependencies	none
Functional Impact	When a user with the delegated_developer role is attempting to modify a record in sys_user_has_role, this property enables additional security checks against the operation. The additional security checks validate that the user has been granted the user_admin role if they're trying to create or update sys_user_has_role. If they do not have the user_admin role, the access will be denied. When the property is false, these additional checks are not validated.
Security risk	(High) Without appropriate authorization, unauthorized users may access sensitive content/data on the instance.
References	Access Control

To learn more about adding or creating a system property, see Add a system property.