As a personal experience, to edit a field in the Users table after a role is added.
Having a web app and an api restricted to users with role :developer, after a user is assigned with that role I use the :after_add callback to create an access token for that user. You may need to remove the access token with :after_remove if the user isn't a :developer anymore.