The spring boot application uses spring security by default.
The configuration entry point is SecurityConfiguration.java where you can configure which roles can do what ( .antMatchers("/api/conferences").hasAuthority(“my_new_role”).
The roles (authorities in spring security jargon) are grabbed from the roles attached to the client used by spring boot (named “internal” by default).
You can change that behaviour tweaking JwtAuthorityExtractor.java