Role Type Standard not behaving as I expect it.

I’m having a little trouble understanding the different role types and how they behave when applied to a role. I would like a setup where a new role is created where the default permission is deny and roles have to be explicitly granted. I would expect the standard type role would achieve this, but when I create a standard role and assign the role to a user they have FULL access (add, edit, delete) for everything including admin. I see no difference when I apply a standard type role or an admin role. When I set a role to a deny type, the user by default has nothing until they are allowed access (which I want) however, for the allowed roles the user does not have add, edit, delete (they are view only). Again, The outcome I want is to create a new role where users assigned to that role will get nothing by default until I allow access for each screen at which point they should have access to add, edit, delete.

Thank you

First of all, the description of role types can be found here: https://doc.cuba-platform.com/manual-6.2/roles.html

I think you can easily create a standard role with the desired behaviour if you use a role of the “Standard” type and add “deny” permissions for all screens. Also select the “Default role” checkbox and the role will be assigned to each new user.

After that, follow these recommendations to assign additional permissions: https://doc.cuba-platform.com/manual-6.2/roles_example.html

My only issue with that approach would be that every time a new screen (permission) is created in the system, I would have to go to all the existing roles that have been created and specifically deny that new screen so that existing roles would have have access to the newly created screens. For the system we are building this could upwards of 100 roles that would have to be individually modified every time a new screen is created.

No, you would have to go to only one role (your “Standard” default role) and add “deny” permission for a new screen to it.
Then if no other role of a user explicitly enable this screen, the user will not have right to the new screen.