A newbie question...
When I use the IDM Application Collector...

What is the best practice when you use roles and resources in the IDM

For example if I have a role named "AD Account role" that is associated
with a resource named "AD Account resource".

If I do a review for "all permissions" then both will show up, which can
be confusing.

I have created a technical role called "Active Directory User Account"
that contains the IDM role and resource.

Can I somehow create a review for all permission except those
permissions that are in role X?

I'm also thinking about what is the best way to manage those IDM roles
that a reviewer should not be able to remove? For example roles that are
assigned by groups (dynamic/static), assigned by containers or assigned
by IDM business policy?

Should I group them in a technical role or a business role in AR?

I'm also thinking that maybe I shouldn't do reviews on permissions and
instead do reviews on roles instead.

That creates a dilemma, in a worst case scenario I would need to create
one AR role per IDM role?

From what I can see I can't mix permissions and roles in a review?