Store in user store itself. Only users in that user store can assign to external roles in same user store.
Eg : user_A can assign to role_A
user_B can't assign to role_A
In the user stores Users are assign to a Groups. Within the WSO2 servers we have Roles and directly map one Group to a Role then assign the permission for that role. There is a one to one mapping between Groups and Roles and same Group name is used to represent the Role in the server.
Internal/everyone : This is a conceptual role that is used to group all the users (across the user stores) together. When you create a new user, automatically the user belongs to the Internal/everyone role.
Application Role : is a special case of internal roles, these are created for a single service provider ( SP ) application and only users in this role can mange relevant SP application.