In the table below, we can use a role named "Vault Transfer Required" across all the MC's. At first look, one might be tempted to create a role named "2FA" to handle each MC's different 2FA requirement. However, this naming is ambiguous as Keeper has over a dozen 2FA options. For long term platform management, it's best to name roles for the exact setting('s) they enforce. Our goal is consistent role naming and results across all MC's.