diff --git a/lib/mv/authorization/role.ex b/lib/mv/authorization/role.ex
index e5b9795..3397172 100644
--- a/lib/mv/authorization/role.ex
+++ b/lib/mv/authorization/role.ex
@@ -42,6 +42,11 @@ defmodule Mv.Authorization.Role do
   postgres do
     table "roles"
     repo Mv.Repo
+
+    references do
+      # Prevent deletion of roles that are assigned to users
+      reference :users, on_delete: :restrict
+    end
   end
 
   code_interface do
@@ -75,27 +80,12 @@ defmodule Mv.Authorization.Role do
   end
 
   validations do
-    validate fn changeset, _context ->
-      permission_set_name = Ash.Changeset.get_attribute(changeset, :permission_set_name)
-
-      if permission_set_name do
-        valid_sets =
-          Mv.Authorization.PermissionSets.all_permission_sets()
-          |> Enum.map(&Atom.to_string/1)
-
-        if permission_set_name in valid_sets do
-          :ok
-        else
-          valid_sets_string = Enum.join(valid_sets, ", ")
-
-          {:error,
-           field: :permission_set_name,
-           message: "Invalid permission set name. Must be one of: #{valid_sets_string}"}
-        end
-      else
-        :ok
-      end
-    end
+    validate one_of(
+               :permission_set_name,
+               Mv.Authorization.PermissionSets.all_permission_sets()
+               |> Enum.map(&Atom.to_string/1)
+             ),
+             message: "must be one of: own_data, read_only, normal_user, admin"
 
     validate fn changeset, _context ->
                if changeset.action_type == :destroy do
@@ -114,7 +104,7 @@ defmodule Mv.Authorization.Role do
   end
 
   attributes do
-    uuid_primary_key :id
+    uuid_v7_primary_key :id
 
     attribute :name, :string do
       allow_nil? false