Access is deny-all and allow by exception based on roles, domains as defined in RBAC.

Users with access to roles and permissions management can create, update, and delete roles in the system. This permission is typically assigned to administrators and power users from across the departments in an Enterprise.