When you set up security for a custom object, you specify what permissions you want to give to not to the job role but to the duty role at the top of the hierarchy. This duty role has the same name as the corresponding job role.
So, if I want to permit users with the sales representative job role to update the object, I grant the permissions to the sales representative duty role.