To add to Salini's good answer:
Don't concatenate literals to an SQL statement. Instead always use
SqlParameter [
^]. So your code could look something like:
protected void _rowdeleting(object sender, GridViewDeleteEventArgs e)
{
GridViewRow row = (GridViewRow)GridView1.Rows[e.RowIndex];
Label lbldeletename = (Label)row.FindControl("lblusername");
MAconn.Open();
SqlCommand cmd = new SqlCommand("DELETE FROM Roles WHERE UserId = (SELECT u.UserId FROM Users u WHERE u.UserName = @UserName", MAconn);
cmd.Parameters.AddWithValue("@UserName", lbldeletename.Text);
cmd.ExecuteNonQuery();
MAconn.Close();
bind();
}
This would protect you better from SqlInjections and also prevent from datatype related problems.