Whebn using ia with rules think about the access roles as any other object you can put on the source of the rule.
As long as you wont block any one they wont be blocked.
The access role is onlty there to translate user identity data from multiple source into "ip" addresses.
Remember that the fw is still a fw so when a packet goes by it does not know it it's user x or user y .. It relies on logs it collects from domain controller for example to understand that user x logs into a machine that has the ip 1.1.1.1 and when it tries to match a packet with ip that has a user mapped to it he will check the access roles also