that's a workable approach, yes. you could also define the permissions on the role itself and then use an arrow to those permissions too