I'm ramping up on MTS and have some confusion on the use of the security model.

Tell me where I go wrong:

When the client program (object) connects to the MTS object, it is authenticated
to a role based on the user's NT account (i.e. user name/password). Now
it is discouraged to use impersonation to authenticate to the third tier
(i.e database) because of overheard. So how does one ensure that the user's
role has permission to talk to the third tier? Is it setup simply such that
if the user can access the component, they can use it's functionality or
can the model be extended such that the DB further authenticates based on
the role? For example, can the DB be aware of the role also authenticate
on it's own using the role? For example, if a component has the role "accountant"
can the DB's security be set to lock out the "accountant" role? I imagine
the DB cannot be made aware of the role but I would appreciate clarification
on this point.

Another way to frame this question is: With impersonation the 2nd tier and
the third tier each authenticate the user. When a role is used, the 2nd
tier authenticates the user but what happens in the third tier? Does/can
the third tire authenticate the role?