A role assignment is the last layer in the security framework. Role assignments define user and group access to a specific work item or work item portfolios. The security role assignment is actually part of the work item's properties. This is the final step in determining a the level of access for a user or group. A user can have a full license and have unrestricted access via their security role, and will not have access to a work item or portfolio without a appropriate role assignment.
Combining licenses, security roles, and role assignments effectively can provide the appropriate level of access and visibility into portfolio data. In fact, when combined with a well-designed portfolio structure, you can virtually isolate a work item and entire portfolios from unauthorized access.
