Strongly agree with @joelq on the complexity of roles. Most of the apps I’ve worked on have only required two levels of permissions, in which case I just augment the User model with an admin boolean flag. Then you can run current_user.admin? to check for admin-level access. Once you get beyond that (even if it’s just one more role beyond basic user and admin), I think that approach should be scrapped for something more robust that is purpose-built for authorization.