Using roles is the recommended way to securely delegate permissions for applications running on virtual servers. Roles can be assumed by anyone or anything that is granted access, which eliminates the need for embedding credentials in the applications. Moreover, roles can provide temporary security credentials to applications to interact with other resources. In contrast, individual user accounts are meant for human access and embedding their credentials can be less secure and harder to manage. Groupings are used to assign permissions to multiple users, not applications. SCPs are used in organizational policies to govern permissions and are not the direct means for applications to access resources.