I developed an security application (JAR and WAR) that provides an interface for users and applications. It allows you to dynamically create all the security information via a web browser, including roles, users, modules, user-roles, role-modules (CRUD), etc,...
The result is that the application never inquires on a user role, since roles are dynamic. What is defined at development time are modules. If you have a customer screen, you can create a customer module.
The effect is this:
1> User signs on, and is assigned a session key.
2> The customer modules inquires on the CRUD access the session has to that module.
So you never actually inquire on a user's role. What you are really determining is the access a session has to the functionality of your application, represented as modules. The advantage is that roles can be dynamically created in production, and assigned to users. You can give users called Security Administrators (SA) the ability to maintain users, roles, and their intersection.
If your requirements call for "static" roles, you just create them yourself, and don't give access to end-users. In effect, you are the SA.