Hi Fernando
You Single Role Approval would be again the BRM approval process - approving role content. You would need an initiator rule to split out role type to send to different path and then do line-by-line for single roles in the business role to the role owner.
Your Business Role Approval would be against CUP/ARQ - when a user request access you would just do Role owner approval for the business role being requested.
Curiosity - if you don't have a Security Administrator who does Security?
Regards
Colleen