AccessOwl offers three different ways to map out an application permission structure:
One set of roles/permissions per application
This is the simplest form where the application has a set of roles/permissions (entitlements). You can specify whether only one entitlement can be selected or multiple roles can be selected.
Usually all roles/permissions are requestable by default. You can adjust that individually.