Had the same thinking last week, good one!

Still no news on this, but it's something I'd really dig. Sometimes, for simpler roles schemes, I even expose my own role checking wrapper actions to the frontends, so that the grant/revokes are hiden. 

But can't you still grant (and revoke) the role directly by creating/deleting the relevant entity record(s) (i.e. User_Role, User_Effective_Role)?...

That already sounds as a workaround Jorge.

What I'm saying is that this feature would need to be powerful enough to stop that kind of workaround (read-only roles should not be modifiable using SQL statements either), otherwise it's not that consistent and useful in restricting control is it?

It's a shame this hasn't been implemented yet, we have quite a complex set of roles and role definitions for our apps (where often people can be many roles and also items should be visible to many roles), and want to have an app that manages the automatic grant/revoke of roles based on some external data, but is also a front-end for manual requests to be added to a role. This module would then share all it's custom roles with all other apps so those developers don't have to recreate/manage the roles themselves, but we really don't want each developer and app able to edit who is in that role...

As a heads up, I implemented something very similar in my Application Framework a while ago (Application Framework - Overview | OutSystems ). My implementation isn't enforced by the underlying code (because we don't have anything like friends/protected scope, I would have no really good way of granting/revoking roles for users unless I had two copies of the actions, one that enforces restrictions and one that doesn't), it's more of a guideline for the UI, and the out of the box role edit widgets use it.

J.Ja