What are some best practices when defining users with different roles/permissions, such as normal user with restricted access and administrator with full access?

My user class looks something like this:

@Entity
@Table(name = "users")
public class User {
    @Id
    @Column(name = "userID")
    @GeneratedValue(generator = "increment")
    @GenericGenerator(name = "increment", strategy = "increment")
    private Long userID;

    public Long getUserID() {
        return userID;
    }

    @ManyToOne(fetch = FetchType.LAZY)
    @Column(nullable = false)
    private Role role;

    @Column(nullable = false)
    private boolean isActive;

    @Column(nullable = false, unique = true)
    private String email;

    @Column(nullable = false)
    private String password;    

    @Column
    @Temporal(TemporalType.TIMESTAMP)
    private Calendar lastLoggedIn;

    @Column(nullable = false)
    @Temporal(TemporalType.TIMESTAMP)
    private Calendar createdDate;

    @Version
    private Integer version;
}

My Role class is:

@Entity
@Table(name = "roles")
public class Role {
    @Id
    @Column(name = "roleID")
    @GeneratedValue(generator = "increment")
    @GenericGenerator(name = "increment", strategy = "increment")
    private Long roleID;

    @Column(nullable = false)
    private String roleName;

    @Column(nullable = false)
    private String rolePermissions;
}

Say my application needed to retrieve a list of user and their roles, should an instance of User hold a reference to an instance (or proxy) of Role? What if my application had to find all Users for a particular Role, does Role have to have a List of Users? What are some tried and true ways of designing and implementing this relationship?

Also, am I doing the mapping correctly with JPA?