In the AMS system, security is managed by two things: Application Roles and Security Descriptors.
Application roles define which users are members of assigned roles. Those assigned roles, such as "AMS Admins" or "AMS Users," are then added to a Security Descriptor.
Security descriptors assign rights to each of the members of those assigned roles. For example, you use security descriptors to grant Read and Write permissions to members of the "AMS Admins" role, and you grant only Read permission to members of the "AMS Users" role. The members of those roles, when added to a security descriptor, become trustees.
When you install the AMS, there are pre-existing Application Roles and Security Descriptors already built into the AMS system that secure all the items in your system. You assign membership to your users into pre-existing roles or into roles that you create. Likewise, you assign rights to members of those roles, in pre-existing security descriptors, or in security descriptors that you create. If the existing Security Descriptor for the Item you want to secure is insufficient, you can adjust it by adding roles and changing the rights assigned to the trustees.
Roles and security descriptors define user access to a wide range of items, so that you manage trustees who have rights to those items–you do not need to manage access on an item-by-item basis.
For detailed information and instructions on how to create Application Roles, go to Application Roles.
For detailed information and instructions on how to create Security Descriptors, go to Security descriptors.