The code implements an after_login logic hook that invalidates the login for any standard user without at least a Role. The sample code purposely does not apply to Administrators as Roles do not apply to them in any case. The code below works on the current version 7.7.2.0.

## afterLoginUsers.php
<?php

// Enrico Simonetti
// enricosimonetti.com

// custom/logichooks/modules/Users/afterLoginUsers.php

class afterLoginUsers
{
    public function callAfterLogin($bean, $event, $args)
    {
        // check if there are roles for this user
        $bean->load_relationship('aclroles');
        $roles = $bean->aclroles->getBeans();
        if(!empty($roles)) {
            $roles_output = array();
            foreach($roles as $role_id => $role_obj) {
                $roles_output[$role_id] = $role_obj->name;
            }

            $GLOBALS['log']->debug('User with user_name: '.$bean->user_name.' and id: '.$bean->id.' logged in successfully and is part of the following roles: "'.implode($roles_output, '", "').'"');
        }

        // force logout if no roles are related to the user for security purposes and if not an admin
        if(!$bean->isAdmin() && empty($roles)) {
            $GLOBALS['log']->security('User with user_name: '.$bean->user_name.' and id: '.$bean->id.' logged in without a valid Role provisioned. Forcing logout.');
            $this->forceLogout();
        }
    }

    protected function forceLogout()
    {
        // start - from logout.php
        foreach($_SESSION as $key => $val) {
            $_SESSION[$key] = '';
        }
        if(isset($_COOKIE[session_name()])) {
            setcookie(session_name(), '', time()-42000, '/');
        }

        SugarApplication::endSession();

        LogicHook::initialize();
        $GLOBALS['logic_hook']->call_custom_logic('Users', 'after_logout');

        //$authController = AuthenticationController::getInstance();
        //$authController->authController->logout();
        // end - from logout.php
    }
}

## install.afterLogin.php
<?php

// Enrico Simonetti
// enricosimonetti.com

// custom/Extension/modules/Users/Ext/LogicHooks/install.afterLogin.php

$hook_array['after_login'][] = array(
    1,
    'after_login check for Roles',
    'custom/logichooks/modules/Users/afterLoginUsers.php',
    'afterLoginUsers',
    'callAfterLogin'
);
	<?php

	// Enrico Simonetti
	// enricosimonetti.com

	// custom/logichooks/modules/Users/afterLoginUsers.php

	class afterLoginUsers
	{
	public function callAfterLogin($bean, $event, $args)
	{
	// check if there are roles for this user
	$bean->load_relationship('aclroles');
	$roles = $bean->aclroles->getBeans();
	if(!empty($roles)) {
	$roles_output = array();
	foreach($roles as $role_id => $role_obj) {
	$roles_output[$role_id] = $role_obj->name;
	}

	$GLOBALS['log']->debug('User with user_name: '.$bean->user_name.' and id: '.$bean->id.' logged in successfully and is part of the following roles: "'.implode($roles_output, '", "').'"');
	}

	// force logout if no roles are related to the user for security purposes and if not an admin
	if(!$bean->isAdmin() && empty($roles)) {
	$GLOBALS['log']->security('User with user_name: '.$bean->user_name.' and id: '.$bean->id.' logged in without a valid Role provisioned. Forcing logout.');
	$this->forceLogout();
	}
	}

	protected function forceLogout()
	{
	// start - from logout.php
	foreach($_SESSION as $key => $val) {
	$_SESSION[$key] = '';
	}
	if(isset($_COOKIE[session_name()])) {
	setcookie(session_name(), '', time()-42000, '/');
	}

	SugarApplication::endSession();

	LogicHook::initialize();
	$GLOBALS['logic_hook']->call_custom_logic('Users', 'after_logout');

	//$authController = AuthenticationController::getInstance();
	//$authController->authController->logout();
	// end - from logout.php
	}
	}