The roles with access to make changes to security policies typically include the Administrator and the Web Application Security Editor. The Administrator role generally has broad access across the system, including security configurations. The Web Application Security Editor role is specifically designated for managing web application security, which includes making changes to security policies.