Currently if a user is authenticated by the OIDC endpoint, then the user is allowed at minimum read-only access to the management portal. Given that the DNSFilter platform is acting as the authorisation service, we would like there to a "no-access" role that could be assigned as a default rather than allowing any authenticated parties snoop on everyone's web history.