As I understand it in authorization models such as RBAC you assign permission(s) to a role e.g. "an admin can do x" and then you assign a role to a user e
