Every time a client authenticates in your network they are given a role. The role can be pretty much anything. The role controls the client’s abilities in the network and access to its resources. The rules in the role can permit access to other subnets, of deny access to a corporate network and resources. You can configure bandwidth contracts in the role and apply the contract on a per user basis instead of to the entire role. There is an ability to configure logging in case you have a voice network and non-voice packets are detected. If it is a guest network you could configure a time range in the role to prevent guest use after hours.
The configuration options available are many but you will need to stay current on your roles assigned in you network as changes in applications used may require a change to the role to allow new features of the applications to work.
It is important to stay with a steady naming system for your roles. Make the names specific, so you can recognize what each role is. This is very important when dealing with Clearpass. You will save yourself a lot of time if the roles are systematically named. Never use the default roles. It will work and you can use them but it is a best practice to create a new role when you are configuring a network.
A great document can be found in the Knowledge Base on Roles and Policies
Configuration of roles is completed in Configuration>Access Control> User Roles> Add
