While security roles are stored in IFS, they are actually 'owned' by the systems they sync from.
Whether Landmark multi-tenant (MT), Landmark single tenant (ST), Lawson, EAM, Mongoose, etc. these systems own the roles and they send a Sync.SecurityRoleMaster BOD to IFS to create them.
You can create these roles in IFS, but that only confuses things when you later want to manage the roles assigned to users.
Here's a for instance; you used to have to create the same security roles in both Lawson and Landmark and keep the users in sync via ISS - this isn't true once you move to IFS.
Under this process, if a user needs a Lawson role assigned to him or her that role first needs to be synced over to IFS (from Lawson) and then assigned to the user in IFS. IFS will then send a Sync.SecurityUserMaster (SUM) BOD over to Lawson with the roles attached to the user.
In fact, the SUM BOD contains all of the roles per user for every system you're syncing to via IFS (by Logical ID). Those roles are rebuilt (removing the old roles and adding the new ones) when the SUM BOD is processed.
You can, if you decide to, update the roles for a user in Lawson and it will in turn send a Process.SecurityUserMaster BOD request to IFS asking it to remove the role from the user. Once IFS consumes the Process BOD request, it will re-send the Sync SUM BOD back out to make the change 'official' (for lack of a better term).
If a Role in IFS is assigned to more than one Logical ID (LID) - say Lawson and Landmark ST - and you remove the Role in Lawson then IFS will see the Role assigned to both Lawson and Landmark ST and it won't remove it from the user (it sees it as a valid Landmark ST role assignment).
In this case, the Sync SUM BOD will actually add the Role to back to the user in Lawson. IFS couldn't remove the role from the user because it was associated to two (or more) Logical IDs and so the security update back to Lawson will show that role as being valid to the user.
If you only setup the assignment of one Logical ID per Role (by letting the system which owns the role sync it to IFS), you can perform the role updates in either that system or IFS.
Best practice, however, is to maintain which Roles are assigned to Users in IFS.