The use of roles is fine. We do the same. The problem we have is with the coding that has been done by various programmers. We didn't keep a good handle on how it was all implemented, access that is. Some code uses roles, some uses other things making the addition of new roles a bit more complex. We even had some code that said as long as no one was explicitly granted this role then everyone had access. The moment we explicitly added the role to someone, everyone else was denied access. That mistake made it to production.