i'm working on grokking the iam blog post + the user-defined roles blog post. are they essentially two ways of modeling the same concepts, or is there a meaningful difference between the approaches outlined in each to provisioning access to objects?