Using RolesChapter 5 Advanced Entry Management 167• Remove a particular role from a given entry.You can do everything you would normally do with static groups with managedroles, and you can filter members using filtered roles as you used to do withdynamic groups. Roles are easier to use than groups, more flexible in theirimplementation, and reduce client complexity.However, evaluating roles is more resource intensive because the server does thework for the client application. With roles, the client application can check rolemembership by searching the nsRole attribute. The nsRole attribute is a computedattributed that is not stored with the entry itself, which identifies which roles anentry belongs to. From the client application point of view, the method forchecking membership is uniform and is performed on the server side.Each role has members, or entries that possess the role. You can specify memberseither explicitly or dynamically. How you specify role membership depends uponthe type of role you are using. Directory Server supports three types of roles:• Managed roles—A managed role allows you to create an explicit enumeratedlist of members.• Filtered roles—A filtered role allows you to assign entries to the roledepending upon the attribute contained by each entry. You do this byspecifying an LDAP filter. Entries that match the filter are said to possess therole.• Nested roles—A nested role allows you to create roles that contain other roles.For more information about how roles work, refer to Netscape Directory ServerDeployment Guide.Managing Roles Using the ConsoleThis section contains the following procedures for creating and modifying roles:• Creating a Managed Role• Creating a Filtered Role• Creating a Nested Role• Viewing and Editing an Entry’s Roles• Modifying a Role Entry• Making a Role Inactive• Reactivating a Role