Correct me if I am wrong This is the scope for user roles as of now * Can add a role and specify permissions for that role * This role/permissions info is passed in a token * To implement access control, the dev adds a logic to check if the user has a particular role or a particular permission