diff --git a/uffd/default_config.cfg b/uffd/default_config.cfg
index 95c6efdb88badadaf24aaaddb9278d7aba4b7f30..d13385e43324a3260918b2ddb3ed8000dcaea7c3 100644
--- a/uffd/default_config.cfg
+++ b/uffd/default_config.cfg
@@ -21,6 +21,8 @@ MAIL_PASSWORD='*****'
 MAIL_USE_STARTTLS=True
 MAIL_FROM_ADDRESS='foo@bar.com'
 
+ROLES_BASEROLES=['base']
+
 SQLALCHEMY_TRACK_MODIFICATIONS=False
 
 # do NOT set in production
diff --git a/uffd/user/templates/user.html b/uffd/user/templates/user.html
index 76b560055574d77301268fd7f78f550bad12e1c8..c735e85096ee0d6fca255a380e222598e2f672da 100644
--- a/uffd/user/templates/user.html
+++ b/uffd/user/templates/user.html
@@ -82,7 +82,9 @@
 						<tr id="role-{{ role.id }}">
 							<td>
 								<div class="form-check">
-									<input class="form-check-input" type="checkbox" id="role-{{ role.id }}-checkbox" name="role-{{ role.id }}" value="1" aria-label="enabled" {% if user.dn in role.member_dns() %}checked{% endif %}>
+									<input class="form-check-input" type="checkbox" id="role-{{ role.id }}-checkbox" name="role-{{ role.id }}" value="1" aria-label="enabled"
+										{% if user.dn in role.member_dns() or role.name in config["ROLES_BASEROLES"] %}checked {% endif %}
+										{% if role.name in config["ROLES_BASEROLES"] %}disabled {% endif %}>
 								</div>
 							</td>
 							<td>
diff --git a/uffd/user/views_user.py b/uffd/user/views_user.py
index 989310173794f02134657766a8a6e86f9af36386..c8afb560afc1a2e8db83a0e305cdfb22f9ef5f4e 100644
--- a/uffd/user/views_user.py
+++ b/uffd/user/views_user.py
@@ -75,7 +75,7 @@ def update(uid=False):
 	roles = Role.query.all()
 	for role in roles:
 		role_member_dns = role.member_dns()
-		if request.values.get('role-{}'.format(role.id), False):
+		if request.values.get('role-{}'.format(role.id), False) or role.name in current_app.config["ROLES_BASEROLES"]:
 			if user.dn in role_member_dns:
 				continue
 			role.add_member(user)