Assuming you have identified your role strategy and have listed your roles, now you need to define what it is the roles can do. Much of this process is already defined by the strategy you have chosen. But there can be degrees or levels of permission. For instance, if an authenticated user can create content, can they also edit the content? Don't laugh, this may seem an obvious answer of yes but not always.