Roles are more your job title rather than the department or team that you work in which might be your group. So for example in the following scenario:
Team 1 - Networks
Team 2 - Databases
In Team 1 there could be Bob (Support Analyst), Sue (Support Analyst), Louise (Team Leader) and in Team 2 there could be Frank (Support Analyst), Dave (Support Analyst), and Ben (Team Leader). Maybe the ratio of manager to staff is a little high in this company
Bob, Sue, Frank and Dave all need to be able to be assigned incidents that they work on, update and resolve. They do this by running a query that shows them the work for their group so Bob and Sue are in a group called Networks and Frank and Dave are in a group called Databases. They all need the same access to the system in terms of being able to add notes, progress incidents etc so a role called Support Analyst has been created and given to them.
Ben and Louise also stand in to do Support Analyst duties when a member of their team is on holiday or off sick. So they are given the Support Analyst role too. However additionally as they are team leaders they need to be able to create new queries against the data in the system and also have the ability to re-open any closed incidents. A new role called Team Leader is created and this just contains those additional privileges. This is given the Ben and Louise so they can now do everything that the Support Analyst role gave them plus also the additions given to them via the Team Leader privilege.
So in summary:
Roles allow you to have people working in the same team but having different access to the system. They also allow you to define access levels for a particular job role.
In other words you may want to give a limited number of people within your organisation a specific privilege, such as giving a number of your management team or change advisory board the ability to authorise a change. Then you only need to give them the role that you have created called Change Authoriser which just specifically has that privilege and you don’t need to worry about ensuring that the role includes privileges the other things that these people need to be able to do in the system – as other roles they’ve been allocated already should include these.
It is recommended best practice to allocate privileges to users via roles rather than groups.