you don't have to allow it; you could always issue a delete on the other relations or precondition check to ensure the user doesn't have those roles