Roles are combinations of permissions that allow or prevent users from performing certain tasks.
For users, they center around the ability to create, read, update and delete records. This can be limited to a type of record (bibs, auths, files). We can further limit this ability by requiring the presence or absence of certain MARC fields. For example, we can set up a role that can only create, read, update and delete records at DHL, by requiring the presence of 040 $a NNUN. We can then further narrow that role by only allowing records to be created, read, updated and deleted that don't have 999 $c t (meaning they are revised by the ITP editor and shouldn't be further edited).
