diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AuthDisableLoginOptions.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AuthDisableLoginOptions.cs
new file mode 100644
index 00000000..bd330101
--- /dev/null
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AuthDisableLoginOptions.cs
@@ -0,0 +1,18 @@
+namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
+
+/// <summary>
+///     Dev/test flag: when <see cref="DisableLogin"/> is true the AdminUI bypasses the login
+///     form entirely and auto-authenticates every request as <see cref="User"/> with all roles.
+///     Default OFF. Never enable in production.
+/// </summary>
+public sealed class AuthDisableLoginOptions
+{
+    /// <summary>Configuration section name (<c>Security:Auth</c>).</summary>
+    public const string SectionName = "Security:Auth";
+
+    /// <summary>When true, disable login and auto-authenticate every request. Default false.</summary>
+    public bool DisableLogin { get; set; }
+
+    /// <summary>The username the auto-login principal is minted with. Default "multi-role-test".</summary>
+    public string User { get; set; } = "multi-role-test";
+}
diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/DevAuthRoles.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/DevAuthRoles.cs
new file mode 100644
index 00000000..0683026f
--- /dev/null
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/DevAuthRoles.cs
@@ -0,0 +1,18 @@
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
+
+/// <summary>
+///     The full canonical role set granted to the auto-login dev principal: every
+///     <see cref="AdminRole"/> plus the appsettings-only control-plane role "Operator"
+///     (required by the DriverOperator policy). Centralised so adding an AdminRole
+///     automatically widens the grant.
+/// </summary>
+public static class DevAuthRoles
+{
+    /// <summary>Operator role string — not an <see cref="AdminRole"/> enum member; used by the DriverOperator policy.</summary>
+    public const string Operator = "Operator";
+
+    /// <summary>All roles granted to the auto-login principal.</summary>
+    public static readonly string[] All = [.. Enum.GetNames<AdminRole>(), Operator];
+}
diff --git a/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/DevAuthRolesTests.cs b/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/DevAuthRolesTests.cs
new file mode 100644
index 00000000..a0975f2b
--- /dev/null
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/DevAuthRolesTests.cs
@@ -0,0 +1,19 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Security.Auth;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
+
+public class DevAuthRolesTests
+{
+    [Fact]
+    public void All_covers_every_AdminRole_plus_Operator()
+    {
+        foreach (var name in Enum.GetNames<AdminRole>())
+            DevAuthRoles.All.ShouldContain(name);
+        DevAuthRoles.All.ShouldContain("Operator");
+        DevAuthRoles.All.Length.ShouldBe(Enum.GetNames<AdminRole>().Length + 1);
+        DevAuthRoles.All.Distinct().Count().ShouldBe(DevAuthRoles.All.Length);
+    }
+}