diff --git a/Neos.ContentRepositoryRegistry/Classes/Service/EventMigrationService.php b/Neos.ContentRepositoryRegistry/Classes/Service/EventMigrationService.php
index e1b3b4dae8..654e014cf0 100644
--- a/Neos.ContentRepositoryRegistry/Classes/Service/EventMigrationService.php
+++ b/Neos.ContentRepositoryRegistry/Classes/Service/EventMigrationService.php
@@ -47,6 +47,7 @@
 use Neos\EventStore\Model\EventStream\EventStreamFilter;
 use Neos\EventStore\Model\EventStream\ExpectedVersion;
 use Neos\EventStore\Model\EventStream\VirtualStreamName;
+use Neos\Neos\Domain\Model\NeosUserRole;
 use Neos\Neos\Domain\Model\WorkspaceClassification;
 use Neos\Neos\Domain\Model\WorkspaceRole;
 use Neos\Neos\Domain\Model\WorkspaceRoleSubjectType;
@@ -719,18 +720,18 @@ public function migrateWorkspaceMetadataToWorkspaceService(\Closure $outputFn):
             if ($workspaceName->isLive()) {
                 $roleAssignments[] = [
                     'subject_type' => WorkspaceRoleSubjectType::GROUP->value,
-                    'subject' => 'Neos.Neos:LivePublisher',
+                    'subject' => NeosUserRole::LIVE_PUBLISHER->value,
                     'role' => WorkspaceRole::COLLABORATOR->value,
                 ];
                 $roleAssignments[] = [
                     'subject_type' => WorkspaceRoleSubjectType::GROUP->value,
-                    'subject' => 'Neos.Flow:Everybody',
+                    'subject' => NeosUserRole::EVERYBODY->value,
                     'role' => WorkspaceRole::VIEWER->value,
                 ];
             } elseif ($isInternalWorkspace) {
                 $roleAssignments[] = [
                     'subject_type' => WorkspaceRoleSubjectType::GROUP->value,
-                    'subject' => 'Neos.Neos:AbstractEditor',
+                    'subject' => NeosUserRole::ABSTRACT_EDITOR->value,
                     'role' => WorkspaceRole::COLLABORATOR->value,
                 ];
             } elseif ($isPrivateWorkspace) {
diff --git a/Neos.Neos/Classes/Domain/Model/NeosUserRole.php b/Neos.Neos/Classes/Domain/Model/NeosUserRole.php
new file mode 100644
index 0000000000..23a2af5f09
--- /dev/null
+++ b/Neos.Neos/Classes/Domain/Model/NeosUserRole.php
@@ -0,0 +1,22 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Neos\Neos\Domain\Model;
+
+use Neos\Neos\Domain\Service\WorkspaceService;
+
+/**
+ * ...
+ *
+ * @api
+ */
+enum NeosUserRole : string
+{
+    case EVERYBODY = 'Neos.Flow:Everybody';
+    case AUTHENTICATED_USER = 'Neos.Flow:AuthenticatedUser';
+    case ADMINISTRATOR = 'Neos.Neos:Administrator';
+    case ABSTRACT_EDITOR = 'Neos.Neos:AbstractEditor';
+    case EDITOR = 'Neos.Neos:Editor';
+    case LIVE_PUBLISHER = 'Neos.Neos:LivePublisher';
+}
diff --git a/Neos.Neos/Classes/Domain/Model/WorkspaceRoleAssignments.php b/Neos.Neos/Classes/Domain/Model/WorkspaceRoleAssignments.php
index 87b33bc0d3..4ca6fb0e4f 100644
--- a/Neos.Neos/Classes/Domain/Model/WorkspaceRoleAssignments.php
+++ b/Neos.Neos/Classes/Domain/Model/WorkspaceRoleAssignments.php
@@ -53,11 +53,11 @@ public static function createForLiveWorkspace(): self
     {
         return new self(
             WorkspaceRoleAssignment::createForGroup(
-                'Neos.Neos:LivePublisher',
+                NeosUserRole::LIVE_PUBLISHER->value,
                 WorkspaceRole::COLLABORATOR
             ),
             WorkspaceRoleAssignment::createForGroup(
-                'Neos.Flow:Everybody',
+                NeosUserRole::EVERYBODY->value,
                 WorkspaceRole::VIEWER
             )
         );
@@ -76,7 +76,7 @@ public static function createForSharedWorkspace(UserId $userId): self
                 WorkspaceRole::MANAGER,
             ),
             WorkspaceRoleAssignment::createForGroup(
-                'Neos.Neos:AbstractEditor',
+                NeosUserRole::ABSTRACT_EDITOR->value,
                 WorkspaceRole::COLLABORATOR,
             )
         );
diff --git a/Neos.Neos/Classes/Domain/Service/UserService.php b/Neos.Neos/Classes/Domain/Service/UserService.php
index dfa1616d00..29e7254a9b 100644
--- a/Neos.Neos/Classes/Domain/Service/UserService.php
+++ b/Neos.Neos/Classes/Domain/Service/UserService.php
@@ -37,6 +37,7 @@
 use Neos\Flow\Session\SessionManager;
 use Neos\Flow\Utility\Now;
 use Neos\Neos\Domain\Exception;
+use Neos\Neos\Domain\Model\NeosUserRole;
 use Neos\Neos\Domain\Model\User;
 use Neos\Neos\Domain\Model\UserId;
 use Neos\Neos\Domain\Repository\UserRepository;
@@ -321,7 +322,7 @@ public function addUser(
         $authenticationProviderName = null
     ) {
         if ($roleIdentifiers === null) {
-            $roleIdentifiers = ['Neos.Neos:Editor'];
+            $roleIdentifiers = [NeosUserRole::EDITOR->value];
         }
         $roleIdentifiers = $this->normalizeRoleIdentifiers($roleIdentifiers);
         $account = $this->accountFactory->createAccountWithPassword(
@@ -663,7 +664,7 @@ public function deactivateUser(User $user): void
      */
     public function currentUserIsAdministrator(): bool
     {
-        return $this->securityContext->hasRole('Neos.Neos:Administrator');
+        return $this->securityContext->hasRole(NeosUserRole::ADMINISTRATOR->value);
     }
 
     /**
@@ -736,8 +737,8 @@ protected function normalizeRoleIdentifier($roleIdentifier)
     public function getAllRoles(User $user): array
     {
         $roles = [
-            'Neos.Flow:Everybody' => $this->policyService->getRole('Neos.Flow:Everybody'),
-            'Neos.Flow:AuthenticatedUser' => $this->policyService->getRole('Neos.Flow:AuthenticatedUser')
+            NeosUserRole::EVERYBODY->value => $this->policyService->getRole(NeosUserRole::EVERYBODY->value),
+            NeosUserRole::AUTHENTICATED_USER->value => $this->policyService->getRole(NeosUserRole::AUTHENTICATED_USER->value)
         ];
 
         /** @var Account $account */
diff --git a/Neos.Neos/Classes/Security/Authorization/ContentRepositoryAuthorizationService.php b/Neos.Neos/Classes/Security/Authorization/ContentRepositoryAuthorizationService.php
index b187e63f7a..d657175357 100644
--- a/Neos.Neos/Classes/Security/Authorization/ContentRepositoryAuthorizationService.php
+++ b/Neos.Neos/Classes/Security/Authorization/ContentRepositoryAuthorizationService.php
@@ -14,6 +14,7 @@
 use Neos\Flow\Security\Context;
 use Neos\Flow\Security\Policy\PolicyService;
 use Neos\Flow\Security\Policy\Role;
+use Neos\Neos\Domain\Model\NeosUserRole;
 use Neos\Neos\Domain\Model\NodePermissions;
 use Neos\Neos\Domain\Model\UserId;
 use Neos\Neos\Domain\Model\WorkspacePermissions;
@@ -33,8 +34,6 @@
 #[Flow\Scope('singleton')]
 final readonly class ContentRepositoryAuthorizationService
 {
-    private const ROLE_NEOS_ADMINISTRATOR = 'Neos.Neos:Administrator';
-
     public function __construct(
         private WorkspaceMetadataAndRoleRepository $metadataAndRoleRepository,
         private PolicyService $policyService,
@@ -63,7 +62,7 @@ public function getWorkspacePermissions(ContentRepositoryId $contentRepositoryId
          * We hardcode the check against administrators to always grant manage permissions. This is done to allow administrators to fix permissions of all workspaces.
          * We don't allow all rights like read and write. Admins should be able to grant themselves permissions to write to other personal workspaces, but they should not have this permission automagically.
          */
-        $userIsAdministrator = in_array(self::ROLE_NEOS_ADMINISTRATOR, $roleIdentifiers, true);
+        $userIsAdministrator = in_array(NeosUserRole::ADMINISTRATOR->value, $roleIdentifiers, true);
         $userWorkspaceRole = $this->metadataAndRoleRepository->getMostPrivilegedWorkspaceRoleForSubjects($contentRepositoryId, $workspaceName, WorkspaceRoleSubjects::fromArray($subjects));
         if ($userWorkspaceRole === null) {
             if ($userIsAdministrator) {