This is not an easy question as it looks like. 
I understand terms like these:
Application session = backend = PLC itself = e.g. MV server run there
Visualization session = frontend = any panel or HW where MV client runs
Two additional terms I would like to introduce:
- RBAC = role-based access control and user management
- MpUserX = mappServices for user management and access control, it is in fact an extension of RBAC
Q1: When logging into a Visualization session would be enough?
A1: If you would like to limit only user control of the visualization according to his rights/role (admin, service, operator), and you do not need anything else, then logging into the visualization session would be enough. In this case, you do not need MpUserX for that; role-based access control is enough.
Q2: When is MpUserX only for the visualization session used?
A2: If you like the benefit from user management settings introduced by MpUserX e.g. password policy, etc. Also, the UserList widget works only with this authentication, but you are still interested only in limiting user access on the client side.
Q3: When is MpUserX for the visualization and application session used?
A3: In short, everything else. E.g. if you would like to limit your backend application functionality based on actual logged in user and rights of his roles
Note:
In mappView configuration, we speak about the parameter authentication mod.
Note 2:
I really simplify it. I’m not sure how far you are with knowledge collection, but this is the absolute minimum you should know.
To continue this discussion, maybe you can tell us what your use case for roles and authentication is, what you need for frontend and backend from roles and their rights perspective. And last but not least, if you are using AS4 or AS6, because there were some changes introduces.
I would also encourage others to reply here maybe my look is too complicated.
