Actually iDempiere supports role inheritance - a role can be composed by included roles, and in such case it inherits the configuration for menu access options and for org access.

This idea is to extend this feature to be able to define master roles in System client, the master roles in System client can have menu access options (but cannot have org access options, because orgs are not available on System).

• The Client (not System) roles can inherit from System roles the access options, and additionally we want to enable configuring exceptions for the roles:

• adding specific access not including in master role
  or

• disabling (adding and inactivating) options included in the master role

• The inheritance must work just for menu items, but not for org, data or documents. (please evaluate if it can be extended for documents too)

• We need to add a flag in role to indicate that it is a "Master Role". Users must not be assigned to Master Roles.

• The list of "Included roles" must show only "Master Roles"

• Check the ordering of the process list on Process Access tab to make it logical.