Constraints for role-based access control | Synapse