# spicedb


09/17/2021, 4:39 PM
wow, thanks for the knowledge! it's great for me to know we can create a permission to group access with authzed. but can we create a role to group permissions? i am curious about your thoughts on this: imagine this: there are often requests from eng teams to create a role that groups a bunch of permissions together: e.g. a
role with write access to a s3 bucket, access to view a webpage, ability to login prod servers etc. but that would definitely put too much burden on iam engineers who review those requests: 1. each team may want to create a role for each of their use cases (oncall role, normal role, prod role etc.) 2. iam engineers don't have the context of everything, imagine thousands of resources and each of them is domain specific. how do you envision the process for users to create roles while following the least privilege principle, in a scalable way?