Identifying the scope for role definitions
The rights from multiple role assignments accumulate, which provides great flexibility and granularity in how you define and assign rights and roles. For example, you can use the UNIX Login role to control basic access, and define a second role that grants the rights to execute a set of privileged commands, so that a user assigned to both roles could log on, but only execute a few specific commands with elevated privileged. By separating rights into separate role definitions, not every role requires PAM applications or system rights, as long as a user is assigned a role that has those rights.
Because access rights are additive, however, it is important to consider where you define and assign roles to control who has administrative privileges on which computers. For example, it might seem reasonable to assign the predefined UNIX Login role to all Active Directory users. Doing so, however, could grant broad permission to log on to Linux or UNIX computers to which you want to restrict access. If you assign that role in a parent zone, it is inherited along with any additional rights granted in child zones.
In most cases, it is appropriate to define roles in parent zones, but assign roles carefully in child zones to avoid granting access rights on computers that host administrative applications or sensitive information.