The following documents the access control that should be provided to users though loopback. If for some reason access controls inhibit development, we can give access to the users. Before deployment, we can remove that access to those users and grant the access to a "super user". The "super user" can only be accessed through methods entirely on the remote server, so there is no security breach. Because of this, these access controls can be seen as an application-level - "what can the user in the role do?" more than "what are the restrictions to the roles as defined in the tables".