Do I apply a security role to a user or a user to a security role?

There are two ways of applying roles – you can apply security role to user or user to security role. If you need to describe a number of permissions or you need to reflect a job function then you would apply a security role to a type of user.
For example, when creating a new Manager role (user + permissions/security role), instead of applying lots of security roles to that person, you can have one security role that contains all the permissions needed for that person – this makes it less complicated. So if the job role (security role) as Manager has 7 permissions you would assign 1 security role with 7 permissions to the Manager user. This is much easier than having 7 separate security roles assigned to one Manager.

It is advisable to have as few security roles as possible to make it easier to administer on system.