Users will often have multiple roles associated with them. Depending on how they interact with the system, a different initial role (and a user domain) might be needed. Consider a user who interacts with a system locally (through the console), remotely through SSH (for administrative purposes), and through FTP (as an end user), as depicted in the following diagram:

We want to make sure that the default role in which the user session starts on the system depends on the entry point on the system. Direct console logon can be in the administrative role, sysadm_r, whereas remote logon is first in the staff_r role (to ensure ...