Hi Eun-hee Ahn, 
You have got the exact situation.
One more thing I want to add that
If I am granting the 'sso_role' to 'john', then 'john' will be able to revoke 'mon_role' (for example) from himself, which should not be.
( which is quite surprising in this case as well as in real life scenario 
)
Should I provide anything else on this ??
---
with kind regards,
DJ