These allow the subscriber to assign role(s) to an MiSP in order for them to assign their employees that role. Ultimately the account is the subscriber’s so they can control what roles they allow the MiSP to access. As a result, the MiSP can only service the parts of an account that they have been granted access to.