This figure shows how a policy grants access to a resource. At the top are three groups of users. As a user from one of the groups attempts to access a resource, the WebLogic Security Service determines whether the role condition established by the policy determines whether users in the group may dynamically granted a role. If so, the Role Mapping service maps the group to which the user is a member to the role corresponding to the policy. Next the policy statement is evaluated to determine whether the policy condition is met. If so, access to the resource is granted for this particular user.