In corporate environments, organizations may employ many users and each user may be assigned many security rights. The assignment of a security right to a user is an entitlement and the number of entitlements is correlated to the product of the number of users and the number of available entitlements.
Roles are defined to reduce the number of entitlements that must be managed. A role is a named collection of other entitlements. If many users need the same set of entitlements, it can be simpler to define a role that includes those entitlements and assign it, rather than the individual entitlements, to the relevant users. This simplifies the management process -- there are fewer things to manage. This can also make requests more user friendly, where roles are assigned business-friendly names.
The complexity of assigning security rights directly to users and the leverage that roles can add to the process are illustrated in Figure [link].
Using roles to simplify access management