Hi, @ikkitang thanks for contacting us, and welcome to the Auth0 Community! 
Your use-case sounds like it would be best managed by the Authorization Extension if you want to have Role-based information in the user’s app_metadata. I’ll include links that talk about the difference between Authorization Core and the Extension along with other docs that touch more specifically on your use-case:
To your other question about adding Permissions to a user who is already logged in, if I understand your implementation correctly then yes they’d have to login again to get a new token. However, if you’re using the app_metadata as a means to restrict access, you may be able to let your backend PATCH the user in question to update their metadata accordingly.
Best Regards,
Colin