Module roles are required by applications that run privileged escalations and they behave the same as roles with respect to memberships. Module roles are dm_group objects with group_class set to module role. Any user, group, or dynamic group can be a member of a module role.

By default, module roles are dynamic. A dynamic module role is a role whose list of members is considered a list of potential members. User membership is controlled on a session-by-session basis by the application at runtime. The members of a dynamic module role comprise of the set of users who are allowed to use the module role; but a session started by one of those users will behave as though it is not part of the module role until it is specifically requested by the application. Administrators should not modify module roles unless they are configuring a client that requires privileged escalations.