Before users install your application they get presented with a screen showing these roles. If they accept to install your application then the API calls you can make will be restricted to those roles.
Click on the image to make it larger
If you change the roles of your application after users have installed it, they will be asked again to approve those roles the next time they access your application. Until then, you won't have access to their accounts, not even based on the old roles.