In my experience, role-based access systems are most useful when they have the following qualities:
A repository that maps Roles to Users in a many-to-many relationship, resulting in Role-User records, one record per Role-User combination.
A mapping from Roles to approved Activities. This mapping can occur in a repository, but it can also occur in code if the mapping is stable enough.
The ability to "bind" allowed Activities to Commands. This allows, for example, the disabling of a button when the capability provided by that button is no longer within the purview of a user's Roles and allowed Activities.
The ability to combine Roles and Activities with business rules in various combinations.
In any reasonable software system, a Role often embodies limits. A supervisor can approve overtime but not sign checks. Employees may only be allowed to perform certain Activities at a particular time of day.
Which brings us to the issue at hand: should roles be used to identify payment tiers?
The purist in me says that this isn't a role; it is a feature. Roles in a software system are intended to embody your customers' business rules, not your company's business rules. Roles are typically set by an administrator user; you would have to lock out these specific Roles from that person so they can't change them.
But you may have other constraints such as development costs, and the software doesn't really care; it will function perfectly adequately if you co-opt the Role system to perform this function rather than spending the time and money to build a whole other subsystem just to impose tier limits.
