Naming of roles and permissions

Roles should be named like this:

This is a system-wide role:

```
administrator
```

Service-specific roles should be prefixed:

```
timereport.administrator
```

In the token, the "role" claim is represented by an array.