The reason why I believe there is a many-to-many relationship between Roles and Permissions is because of the following:

1. One Role could have many permissions (EditReport, DeleteReport, etc.). True.
2. One Permission (e.g. EditReport) could have (or be associated with) many Roles (e.g. SalesPerson, SalesManager, etc.). True.

Since both of the statements *seem* to be true, at least in my opinion, I think you *need* a many-to-many relationship. So what is the consequence of *not* having a many-to-many? Well, perhaps then you will have redudant data. There will be an EditReport permission record for SalesPerson and an EditReport record for SalesManager. I guess this isn't *that* big of deal.