A POST to set permissions for a role looks like this:
If role/roleId is not present in the payload, a 500 error is returned. Payloads without the roleId should be allowed, because the role csid is already present in the URL. This would be consistent with other subresources (e.g. contacts), which do not expect the parent csid to be present in the subresource payload.