Returns a comma-separated list of domain roles for the user identity associated with the client-principal object. This list cannot contain embedded spaces. If not specified, the AVM returns a zero-length character string.
Once the client-principal object is sealed, this attribute is read-only, and attempting to write to it raises a run-time error.
Note: You can use this attribute with the CAN-DO function, for example, to identify application functions accessible to a user both according to their user ID and according to their role.
