How Is Access Granted to Users, Actors, or Identities?
Roles are defined to assign access to system components—to provide authorization. Each actor should have one or more roles assigned to it, providing authorization to system components and data.
An actor is linked to an identity in order to allow a subject (person or process) to access the functionality assigned in the role(s) linked to that actor. A user has an identity for one or more services in the system.