Summary

Create User form presents all 10 system roles equally for external user types with no guidance, risking inappropriate role assignments.

Steps to Reproduce

1. Log in as admin
2. Navigate to User Management → Create User
3. Select User Type: GUEST (or any non-INTERNAL type)
4. Observe: all 10 system roles are presented with no filtering, no default, and no guidance

Observation

For external users (CUSTOMER, PARTNER, GUEST, COMMUNITY) the roles with known safe semantics are:

Roles beyond CUSTOMER_SUPPORT (DEVELOPER, PROJECT_MANAGER, ADMIN, etc.) have not been evaluated for external user safety.

Actual Behavior

All 10 roles shown regardless of User Type. No default selected. Admin must manually choose with no guidance, risking overprivileged external users. Existing user extuser1 (CUSTOMER) holds PROJECT_MANAGER role, demonstrating the risk is real.

Caveat

The permission matrix for external users across all system roles is not fully documented. Assigning roles beyond CUSTOMER_SUPPORT to external users may grant unintended access. A dedicated spike is required to audit @PreAuthorize annotations and role-gated operations before a safe external-role policy can be enforced.

Proposed Immediate Action

• Document this gap as a known limitation for 1.10.0
• Advise admins to assign only OBSERVER or CUSTOMER_SUPPORT to external users
• Track full role/permission audit as a follow-up spike ticket

Affected Components

• Create User modal (frontend)
• UserServiceImpl (no backend validation of role/usertype compatibility)

Severity

Low (for 1.10.0) — no enforcement change needed now, caveat documented

Follow-up

Spike: audit all @PreAuthorize role checks and produce definitive external-user permission matrix