Currently, there can be assigned only one role per user per project. To avoid having to craft specific roles for every specific minor use-case (an action which always requires administrative rights unless OD-2334 is resolved), it would be useful to allow multiple roles to be assigned, which act additively. So, if one role can view the "Logs" report, and another can view all artifacts, assigning both roles would allow both.

This would ideally impact anywhere a role is required, including user roles, project default role, and access token roles.

On that note, adding multiple roles for a project to an access token does not warn you that only one role can be applied, which makes it confusing when the other roles are removed. That is what I was trying to do, and assumed I could, since it did not complain when I added multiple roles. Having to log in as admin just to create a role with as few as possible permissions for every access token disincentivizes proper security practices.