As discussed in Basic concepts of access rights and roles, rights are fundamental to authorizing user access, you cannot assign rights directly to users. Instead, rights are combined into role definitions that reflect the needs of a specific job function, such as database administrator, or the ability to perform a particular task, such as start a web service or run commands that compress or extract files. It is up to you, as an administrator, to decide on the role definitions your organization needs and to assign those custom role definitions to the appropriate users and groups.
Basic access rights require Active Directory users to have a complete UNIX profile and at least one role assignment, for example by using the UNIX Login role, that is in effect in the zone to which a computer is joined. To move beyond basic access rights, you must define custom rights and custom role definitions, then add the specific rights to each role definition.
After you configure a role definition with rights, you can assign it to individual Active Directory users or to Active Directory groups, so that the role applies to all members of the group. By assigning role definitions to groups, you can manage ongoing role-based user access completely through Active Directory.