You determine the actions that users can perform by assigning the following items to users and groups:
Privileges. A privilege determines the actions that users can perform in application clients.
Roles. A role is a collection of privileges. When you assign a role to a user or group, you assign the collection of privileges belonging to the role.
Use the following rules and guidelines when you assign privileges and roles to users and groups:
You assign privileges and roles to users and groups for the domain and for each application service that is running in the domain.
You can assign different privileges and roles to a user or group for each application service of the same service type.
A role can include privileges for the domain and multiple application service types. When you assign the role to a user or group for one application service, privileges for that application service type are assigned to the user or group.
If you change the privileges or roles assigned to a user, the changed privileges or roles take affect the next time the user logs in.
You cannot edit the privileges or roles assigned to the default Administrator user account.