@ssmusoke I would echo @darius that there is a confusion between roles and user groups, and I think we should get this right. A role is not a collection of users, it’s a collection of privileges. However those roles being distributed to users make us think of them as collections of users, but this is a second degree effect.
Personally I believe that if we want to get things right and avoid making contorsions in the future, we should at least anticipate that a new UserGroup entity will exist one day.
@mseaton I personally would prefer a dedicated table then, rather than using cohort attributes, because this could become the seed (yet limited to cohorts for now as @dkayiwa suggested) for a more general access level management pattern that could be expanded to other entities.
@dkayiwa by inexpensive I meant “as little work as possible / out of the box”. When I was asked if there was a way to store a single user access to a cohort with the existing data model and API, I said that yes this could be done through user properties right away.