Description of problem:
User object doesn't have roles list.
It would be useful to have a roles list in the user object, in the same way as Role object have users list.
It should also be possible to update a user by modifying the roles list.
The User object has a Role set. We don't express it in the JSON because it will introduce an infinite recursion.
As for updating a user by modifying the roles list, it could create a race condition and would not be healthy for the system.
Are used to update the relationships between user and role
1. If a user object will contain the role-ids not role objects it will not recourse.
2. I think updating role by role is acceptable as a work around. However it's not a transactive solution and may produce unexpected results in case of failure.
Most users are doing their own authn/authz. Closing until there is a project need.