diff --git a/plugin/grails-app/controllers/grails/plugin/springsecurity/ui/UserController.groovy b/plugin/grails-app/controllers/grails/plugin/springsecurity/ui/UserController.groovy
index fc3a3526..17d99f87 100644
--- a/plugin/grails-app/controllers/grails/plugin/springsecurity/ui/UserController.groovy
+++ b/plugin/grails-app/controllers/grails/plugin/springsecurity/ui/UserController.groovy
@@ -15,6 +15,7 @@
 package grails.plugin.springsecurity.ui
 
 import grails.plugin.springsecurity.ui.strategy.UserStrategy
+import groovy.transform.CompileStatic
 
 /**
  * @author <a href='mailto:burt@burtbeckwith.com'>Burt Beckwith</a>
@@ -77,19 +78,27 @@ class UserController extends AbstractS2UiDomainController {
 	protected Map buildUserModel(user) {
 
 		Set userRoleNames = user[authoritiesPropertyName].collect { it[authorityNameField] }
-		def granted = [:]
-		def notGranted = [:]
-		for (role in sortedRoles()) {
+		Map roleMap = buildRoleMap(userRoleNames)
+
+		[roleMap: roleMap, tabData: tabData, user: user]
+	}
+
+	@CompileStatic
+	protected Map buildRoleMap(Set userRoleNames, List sortedRoles) {
+		if (!userRoleNames) {
+			return [:]
+		}
+		Map granted = [:]
+		Map notGranted = [:]
+		for (role in sortedRoles) {
 			String authority = role[authorityNameField]
 			if (userRoleNames.contains(authority)) {
-				granted[(role)] = userRoleNames.contains(authority)
-			}
-			else {
-				notGranted[(role)] = userRoleNames.contains(authority)
+				granted[(role)] = true
+			} else {
+				notGranted[(role)] = false
 			}
 		}
-
-		[roleMap: granted + notGranted, tabData: tabData, user: user]
+		granted + notGranted
 	}
 
 	protected List sortedRoles() {
diff --git a/plugin/src/test/groovy/grails/plugin/springsecurity/ui/UserControllerSpec.groovy b/plugin/src/test/groovy/grails/plugin/springsecurity/ui/UserControllerSpec.groovy
new file mode 100644
index 00000000..b3f64c48
--- /dev/null
+++ b/plugin/src/test/groovy/grails/plugin/springsecurity/ui/UserControllerSpec.groovy
@@ -0,0 +1,33 @@
+package grails.plugin.springsecurity.ui
+
+import grails.testing.web.controllers.ControllerUnitTest
+import spock.lang.Specification
+import spock.lang.Unroll
+
+@Unroll
+class UserControllerSpec extends Specification implements ControllerUnitTest<UserController> {
+    static final Map ADMIN_ROLE = [authority: "ROLE_ADMIN"]
+    static final Map SUPER_ADMIN_ROLE = [authority: "ROLE_SUPER_ADMIN"]
+    static final Map USER_ROLE = [authority: "ROLE_USER"]
+
+    void "verify proper construction of roleMap for user with roles #rolesAssignedToUser"() {
+        given: "the authority name field has been set to the default name of 'authority'"
+        controller.authorityNameField = "authority"
+
+        and: "we mock the returning of all Role instances within the database"
+        List sortedRoles = [ADMIN_ROLE, SUPER_ADMIN_ROLE, USER_ROLE]
+
+        when: "we call buildRoleMap with the role names associated to the user"
+        Map results = controller.buildRoleMap(rolesAssignedToUser, sortedRoles)
+
+        then: "the user is only granted access to roles with which they are associated"
+        results == expectedResults
+        results instanceof LinkedHashMap
+
+        where:
+        rolesAssignedToUser                                | expectedResults
+        [ADMIN_ROLE.authority, USER_ROLE.authority] as Set | [(ADMIN_ROLE): true, (SUPER_ADMIN_ROLE): false, (USER_ROLE): true]
+        [] as Set                                          | [:]
+        null                                               | [:]
+    }
+}