Hi @ianb
I would have trouble answering your questions in a 1 page post. I’d need to know a LOT more about the different kinds of users, where they are stored, how they are validated. There are TONS of gotchas to be mindful of, without knowing details, it is hard to begin.
Roles are great for defining access, but they have limitations. I’d need to know a lot about the permission framework you need, how you are restricting access etc.
Sorry for this reply - I wanted you to know that these general questions are really hard to respond to. If you are with a company, I’d recommend Auth0 Professional Services health check offering for this.
John