So the first thing that comes to mind is to use the content-type hooks, because the roles are the content-type provided by the plugin @strapi/plugin-user-permissions (can check in your node_modules)
Or alternatively if you find out that you cannot use the injection hooks, then you can extend the base plugin, but that doesn’t sound as a reliable and comfortable solution to implement for this case.