The Identity Manager User Application’s Roles Based Provisioning Module provides an easy way to assign people to privileges through role membership.
A role defines a set of privileges. When you assign a user to a role, the user is granted all the entitlements associated with the role (with any parameter values as specified in the Role editor). When a user is removed from a role, all entitlements granted when the user was assigned to the role are revoked. Only the entitlements granted through the role are revoked; entitlements the user has been granted through other means are not revoked.