Create permissions for each resource describing allowed access and description to display on the consent screen. Permissions can be created around CRUD operations on data models or API verbs.
Map permissions to roles so that users are assigned a selected few roles and not a large number of low-level permissions. Roles are hierarchical so a role can inherit permissions from other roles.
If the tenant is organization enabled, this feature provides additional container and layer to group users and roles which is highly desirable if your SaaS product or digital platform is business-to-business (B2B).