When planning Security and Compliance roles in Microsoft 365, it's important to consider the jobs that your Security and Compliance admins will be performing. This is important because there are many different role groups that are available in the Security and Compliance Center and different roles are assigned to each role group. This produces a really granular permission structure. The table that you see on your screen shows the default role groups that are available in the Security and Compliance Center along with descriptions of what each role group does. 

As you can see on your screen, the compliance administrator role group manages settings for device management, data loss prevention, reports, and preservation. While the compliance DATA administrator manages settings for device management, data protection, data loss prevention, reports, and preservation. Data investigators can perform searches on mailboxes, SharePoint Online sites, and on OneDrive for Business locations.

The eDiscovery manager can perform searches and place holds on mailboxes, SharePoint Online sites, and OneDrive for Business locations. The eDiscovery manager can also create and manage eDiscovery cases. MailFlow administrators can monitor and view MailFlow insights and reports in the Security and Compliance Center. If the MailFlow administrator isn't also a member of the Exchange admin group however, the MailFlow administrator won't have access to Exchange admin related tasks. Members of the organization management role can control permissions for accessing features in the Security and Compliance Center. They can manage settings for device management, data loss prevention, reports, and preservation. 

It's important to note that Office 365 global admins are automatically added to the organization management role group. Records management role group members can manage and dispose record content while reviewers can only view the list of cases on the eDiscovery cases page in the Security and Compliance Center. Reviewers cannot create, open, or manage eDiscovery cases. 

The main purpose of a reviewer is essentially to allow members to view and access case data in Advanced eDiscovery. It's important to note that the reviewer has the most restrictive eDiscovery related permissions. Security administrators by default are not assigned any roles. They have the same read-only permissions as the security reader role, plus several other administrative permissions. Security operators can manage security alerts and view reports and settings of security features while security readers have read-only access to several security features of Identity Protection Center and Privileged Identity Management. Membership in this particular role is synchronized across services and it's managed centrally. 

Service assurance users can access the service assurance section in the Office 365 Security and Compliance Center while supervisory review members can create and manage policies that define which communications are subject to review in an organization. So as you can probably tell by now, access in the Security and Compliance Center is pretty granular. As such, it's important to plan out which users will need to perform which tasks when planning out Security and Compliance roles for Microsoft 365.