Gotcha. Currently, custom roles can be dynamically managed. That is to say, an org owns a role and an org admin can add or remove permissions from that role. So looking back at
> Is there a need to control roles as distinct groups of users, or is the grant always to a specific user, on a specific repo?
It's a little of both.