Separating out "roles" from "identities" from "credentials" in the system architecture does wonders to prevent future confusion on this point.
Consider how we treat each of the following separately: a person, their "employee" status, their key card, and the access right granted via that card.