The problem with this approach can appear, if you want to allow the user update his User resource. Or for multi-tenant systems, where users can be a part of multiple organisations or departments, they can potentially interact with a system in different roles. You can imagine Outpatient EHR with multiple locations and physicians, who can work in some of these locations. Aidbox provides you with the Role resource, which can keep this context information and integrated it with the Access Control engine in a sophisticated way. Let's say we have multi-organisation system with users, who can play different roles in different organisations.