Roles define static collections of privileges that define broad user access rights and definitions. Rules extend this static model, established by attaching a user to a Role, by examining user attributes such as department code or location code, and specifying additional details, such as mail server location, based on these user-specific variables.
A single level of indirection separating users from fine-grained
privileges may not be sufficient to address complex user management.
As a result, it often makes sense to define two types of Roles:
Business Roles and Infrastructure Roles.