Security roles are additive. If a user belongs to more than one role, all of the permissions from all of the roles assigned to that user are granted. If a user belongs to more than 1 role with overlapping permissions, the least restrictive permissions are granted to that user.