Pulp plugins can provide a set of default roles out of the box that cannot be changed. These roles are stored in the roles database and are marked as "locked". Traditionally, these are added directly to each viewset using the LOCKED_ROLES attribute, however the galaxy_ng viewsets aren't hooked into the pulp router, so this method can't be used for defining system roles.

To fix this, we need to:

• Create a file under galaxy_ng/access_control/ to store our role definitions. This should be similar to how access policies are stored now.

• Create a post migration hook that loads the role definitions into the database. The post migration hook can be initialized in the same way that we set the pulp container access policies, and should follow the same logic as the populate_roles function

Role definitions are still TBD, so for now just create a few test roles with arbitrary permissions.