using something like user-defined roles, vs having all the roles and permissions defined directly in schema