Securables are specific functions of an application that can be access-restricted. Your application provider designates which functions of an application can be access-restricted; however, you can select which Users have or are denied access to these functions through the creation of Roles.
Each Role that you create can be given access to any combination of Securables that you choose. This includes Securables for your subscribed applications, as well as Securables that have been built into your Account Portal.
With the exception of the Account Administrator (who has access to all Securables for all applications including the Account Portal), by default a User has no access to Securables until they are assigned to a Role that has been given Securable permissions.
Because you are completely free to customize which Securable permissions are assigned to which Roles, you can create a Role system in any way you choose. You may, for instance, create a Role and assign appropriate permissions corresponding to your group’s organizational structure (e.g., “Manager,” “Sales Rep,” “Purchasing Officer,” etc.), or you may create Roles and assign permissions according to your own unique design (e.g., “Subscription Manager,” “Applications User,” “Limited Applications User”).
Once you have created Roles and assigned Securable permissions, you can then add individual Users to Roles as you deem appropriate. Regardless of the Roles and Securables assigned, a User will still need to be assigned a subscription to an Application in order to use or launch the Application.