Security is configured using roles. This simple concept just means that instead of granting or revoking privilege based on user, you do so based upon the more abstract concept of a role, and then you assign users to belong to one or more roles.
The maintenance ramifications of this separation are fairly obvious - you define your security based upon the process, not the people. Ideally, the process remains constant even if the cast of characters changes. As people are hired, transferred, promoted, fired, etc, the security management simply becomes the re-assigning of roles, not the re-designing of your project.
Project Required Roles
The coarsest level of security for a Vision project is the project's Required Roles property. This is a list of roles that the user must have all of in order to log into the Client.