How do you approach managing user roles and permissions in AEP to ensure strict access controls and privacy compliance?