I have a mainDB.nsf that contains all of the XPages design, agents, script libraries etc. From this database the user selects an application. There may be one or more application databases. Each of the applications databases contain the actual data for the application, plus the views of that data that is accessed in custom controls in the mainDB. So when a person authenticates against the mainDB they get all their security rights and assume that there is a role in the mainDB called [Finance]. Now there are no real data documents in the mainDB but in the PurchaseReq.nsf there are and anyone with the [Finance] role gets Editor rights to all documents in the PurchaseReq.nsf. So I have defined the role in both the mainDB.nsf and PurchaseReq.nsf. However, I do not want the person with the role [Finance] to have Editor rights in mainDB.nsf but only in PurchaseReq.nsf. If I assign the role to a person in the MainDB.nsf with say Reader rights and duplicate the ACL entry in the PurchaseReq.nsf with Editor rights the user opens a document in PurchaseReq.nsf will they have reader or editor rights. Seccondly, do I even have to have the role [Finance] in the mainDB.nsf.

I read somewhere about this sort of setup with a design database and multiple data repositories but I can't find that reference.

Access is determined on a per database level - and not across databases.

So if you assign a role to a person in MainDB.nsf with Reader rights and assign a role with the same name with Editor rights in another database, then the person will have reader rights to MainDB.nsf and editor rights to the other database.

The role is not necessary in MainDB unless used for access control to documents/design elements in that database.