As a starting point, I would use the System 'UserRole'’ entity, for each role the system has automatically created an object and users can only see the user roles which they can manage according to the security settings. With the "simple checkbox set selector" you can achieve a UI like this, without the primary/general options.
What does the primary/general enum do? In case there is only one primary user role I would suggest to let the user first select the primary role or allow selection based on the selected user roles afterwards.