Using groups to represent roles lets you set roles up as dynamic groups. Dynamic groups can be created using iManager. If you are using dynamic groups, the administrator does not need to constantly manage the Tomcat roles. In this case, eDirectory can manage the Tomcat roles for you. For example, if you have a payroll application that requires the Payroll role, you can set up a dynamic Payroll group in the Tomcat-Roles container. It could contain a rule to include all members of the ou=payroll.o=yourcompany, and when users are created in that container, they are automatically granted access to the payroll Web application.
The same rule applies when a user moves out of the Payroll container; they immediately cease to have rights to the payroll Web application without any action from the system administrator or Web application administrator.