Category "scopes"

What is the correct use of scopes and app roles in an Azure AD web api with user and daemon clients?

I have a web api to access "resources". These are not user specific resources. There is a "reader" app role. User1 is added to "reader" role App1 has been grant