Learning: Roles
So, we have a user that’s made up of the user account datatype that belongs to a user group. Then we define policies that we want to assign to a particular user or user group. These policies when combined are called a role. The role is assigned to the user group or specific user.
However, just to complicate matters, a role can have limitations of it’s own. For instance, a normal editor role would have the ability to read, create and delete all content. But you might want to restrict some editors to one part of the system only. Eg. the marketing users are only allowed to add content to the marketing section. Rather than put that in the policy, you have a standard editor policy and then create another role to apply to the marketing group within editors that restricts them to the marketing section only.
Note: you need to remember that role limitations will override the limitations of the role’s policies. This means if the policy has no limitations (like the editor policies) then the role limitation will take precedence.
Typical role limitations are to a particular section or subtree.