This is being discussed in Discord.
Bottom line is this:
If all the commands that need to run are able to be in an SVM, create an SVM role and add the full commands
If the commands the tneed to run are a mix of cluster and SVM, create the role in the cluster
You may need/want to use the -query argument for the commands.
Typically, you want to specify the least amount of access to get the job done
like this for a cluster
-cmddir "network interface service-policy show" -query "-vserver abc"
-> limits the use role to ONLY look at the service-policies for specifically the vserver abc. I can take this further!
-cmddir "network interface service-policy show" -query "-vserver abc -policy default-data-files"
-> limits the use role to ONLY look at the service-policies for specifically the vserver abc and only the spcified policy!
It is important to use the fullest command possible to limit access and do not abbreviate commands!