The following figure illustrates how users, groups and roles relate.
In the figure above, there are:
Six roles: _run_as, _administrator, _search, _import, _metadata_w, and metadata_r.
Two regular groups: regular_user and readonly_user.
The group readonly_user depends on the roles _search and _metadata_r. The second group, regular_user depends on the roles _import and _metadata_w, and also the group readonly_user.
In the last relation, readonly_user is called the parent group and regular_user is the child group. A user which belong to regular_user actually has all four roles.
Three users: app_user, jdoe, and mrpink.
The user app_user has the role _run_as, jdoe has the roles _administrator, _search, _import, _metadata_w and _metadata_r and mrpink has the roles _search and _metadata_r.
To visualize the users and groups like above, see User/group visualization.