one, never a doctype get created without a module selected.
two, a role is build on top of doctypes with all permission set it up
last a role is assigned to a user .
once user log in the system we know all assigned roles, doctypes and modules.
Check/uncheck module in user doctype is useless and confusing. Only role assignement is enough to implement user access to doctypes.
Please share your thoughts if I am wrong, thx