Each Teiid data role can be mapped to any number of container roles or any authenticated user.
You may control role membership through whatever system the Teiid security domain login modules are associated with. The kit includes example files for use with the UsersRolesLoginModule - see teiid-security-roles.properties.
If you have an alternative security domain that a VDB should use, then set the VDB property security-domain to the relevant security domain.
It is possible for a user to have any number of container roles, which in turn imply a subset of Teiid data roles. Each applicable Teiid data role contributes cumulatively to the permissions of the user. No one role supersedes or negates the permissions of the other data roles.