If your user have the WebEditors role from your authentication service, e.g. an active directory, it will be mapped to the CustomerManagers virtual role.

See Virtual roles (optimizely.com)

The "Items" are the roles you want to handle in the CMS. Try to keep them pretty few. "CMSEditors" is an example above that normally have access to edit mode.

The MappedRoles array are normally roles you get from your login, might be from your SSO or AD or similar. This can be quite a few roles that should have access to the edit mode in a large organization but instead of allowing all of them access you assign them a virtual role "CMSEditors" and grant that one access. 

The first rule above says that any user that belongs to the roles "WebEditors" or "CatalogManagers" or "CommerceAdmins" or "CustomerManagers" also will automatically get the role CMSEditors as a bonus role.

That's the why behind it. Hope that helps?

Hi, 

In general, this settings is used to map source roles to a target role. For example if we want to consider a user in WedEditors role should be in CMSEditors role as well.

In the first rule, source roles are WebEditors, CatalogManagers, CommerceAdmins and CustomerManagers. Target role is CmsEditors. ShouldMatchAll option is false => it means if the user just need to belong to one of source roles then that user will belong to the target role as well. If ShouldMatchAll option is true => it means the user must belong to all of source roles then it will belong to the target role.