In section 1.5.13.6.1 of the Reference Guide, the ROLES parameter is said to be optional, but a HTTP 403 is actually generated if it is not specified.