unless everything is dynamic, i'd expect that you'd know something aboout your schema that would be exposed in your UI. if everything is dynamic, i'd probably strive to keep the schema relatively flat, and provide UI elements like AWS IAM or something like that where it tells the user what permission they're missing to do a particular thing, such that it'd be relatively easy for a user to translate missing permission -> missing role. this was something that we talked about at my last company, but things never got complex enough to warrant it.