Context managers create a right by assigning a role to a user or group within a context.
A user or group can have only one directly assigned right per context. However, rights can be assigned to groups, and because such rights are inherited by all members of the group, users can have many rights within one context:
one directly assigned right
many indirectly assigned rights; that is, rights that have been inherited through membership of a group.
If a group right is revoked, the same right is also revoked for users within that group.
If a role is redefined by a domain administrator, rights created from that role are instantly changed to reflect that redefinition, and are propagated to all users with that role when they next synchronize with the server (Oracle IRM Server).