diff --git a/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java b/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java
index 6af19a7..1806e39 100644
--- a/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java
+++ b/src/main/java/com/knecon/fforesight/tenantusermanagement/service/UserService.java
@@ -642,7 +642,7 @@ public class UserService {
 
     private ValidationResult validateRoleRanks(Set<String> currentRoles, Set<String> userRoles) {
 
-        if (userRoles.stream()
+        if (!userRoles.isEmpty() && userRoles.stream()
                 .allMatch(ApplicationRoles::isKneconRole)) {
             return ValidationResult.INVALID;
         }
diff --git a/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java b/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java
index 0a2da1a..8e93622 100644
--- a/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java
+++ b/src/test/java/com/knecon/fforesight/tenantusermanagement/tests/UserTest.java
@@ -637,6 +637,36 @@ public class UserTest extends AbstractTenantUserManagementIntegrationTest {
     }
 
 
+    @Test
+    public void testOperationsOnUserWithoutRoles() {
+
+        // set context and user
+        TenantContext.setTenantId(AbstractTenantUserManagementIntegrationTest.TEST_TENANT_ID);
+        tokenService.setUser("admin@knecon.com", "secret");
+
+        var createUserRequest = new CreateUserRequest();
+        createUserRequest.setEmail("noroles@notknecon.com");
+        createUserRequest.setFirstName("No");
+        createUserRequest.setLastName("Roles");
+        createUserRequest.setUsername("NoRolesAtAll");
+        createUserRequest.setRoles(new HashSet<>());
+        User noRolesUser = userClient.createUser(createUserRequest);
+
+        userClient.resetPassword(noRolesUser.getUserId(), ResetPasswordRequest.builder().password("SuperSecret42!!").build());
+
+        userClient.activateProfile(noRolesUser.getUserId(), false);
+        noRolesUser = userClient.getUserById(noRolesUser.getUserId());
+        assertFalse(noRolesUser.isActive());
+
+        var allUsers = userClient.getAllUsers(true);
+        var sizeBefore = allUsers.size();
+        userClient.deleteUser(noRolesUser.getUserId());
+        allUsers = userClient.getAllUsers(true);
+        assertThat(allUsers).hasSize(sizeBefore - 1);
+
+    }
+
+
     @Test
     public void testCreateUserWithInvalidEmailFormat() {