[BUGFIX] Exceeding roles of accounts are now ignored
If an account had one ore more roles which were not
defined in a policy, access was denied to this account
because the role could not be matched. It is, however,
more practical to simply ignore exceeding roles.
This patch makes sure that getRoles() only considers
roles of the active tokens which really exist in one
of the policies.