Correct me if I am wrong
This is the scope for user roles as of now
* Can add a role and specify permissions for that role
* This role/permissions info is passed in a token
* To implement access control, the dev adds a logic to check if the user has a particular role or a particular permission