api: check for special roles before locking the usercfg