The Identity Manager User Application’s Roles Based Provisioning provides an easy way to assign people to privileges in target systems through their role membership. The module allows you to easily ensure that employees have access to the resources they need.
A role defines a set of privileges related to one or more target systems or applications. When you assign a user to a role, the user is granted all the entitlements associated with the role (with any parameter values as specified in the Role editor). When a user is removed from a role, all entitlements granted when the user was assigned to the role are revoked. Only the entitlements granted through the role are revoked; entitlements the user has been granted through other means are not revoked.