How to use the Role Access properly?

Hi,

Yes I’ve already done that. I have a role ‘guests’. I assigned the following services as shown in the image above.

What I’m trying to do now is if in case a hacker figures out the format of the payload and the url, I want to prevent him from registering a user with an admin role. I’ve disabled the open registration and used the invitation method as suggested in this thread.

Right now I’m trying to prevent creation of the user by having a condition where the payload is_sys_admin is equal to false. Not sure if I’m doing it right though.

Regards,
Allen