Roles are used to model the business processes that exist within a business enterprise. Roles determine the set of application resources that display for that user when they access their permitted workspaces. In order to model your organization’s business processes effectively, users need access to all the appropriate application resources required for them to perform their everyday business tasks.

In this context, an application resource typically is an executable program that exists within the menu system: either a standard program or a component-based activity. However, in addition to functions executed from the menu, some activities that are not on the menu can be secured.

All system users must be assigned to at least one role in order to gain access to the system. Typically the same role is given to more than one user in an organization, and a single user may have several assigned roles.

Role-based access control provides flexibility and consistency in the way security requirements are enforced, and also helps reduce maintenance for the system administrator. While your users may change based on terminations or task reassignments, roles within an organization typically remain stable over time.

Roles are not domain specific—they are defined system wide. However, roles operate within the context of the domains and entities to which the user has been granted access. This concept is known as role membership. See Defining Role Membership.