Hmmm ...
Can you say more about this
"> authorizations granted to roles can propagate to their sub roles
> (you may not always want propagation to preserve least privilege)."
And
"> In such a context authorization propagation when dealing with
> roles can
> have an additional aspect: if a user is authorized to
> activate a role s/he
> can also activate roles that are generalization of it."
I need to be clear about "generalization". In the hierarchy
Chief Auditor
Senior Auditor
Junior Auditor
Which is a generalization of Senior Auditor? From you statement and what I
think the security should be, I would say a Senior Auditor can activate a
Junior Auditor role. However, based on my understanding of the term
"generalization" I would say Chief Auditor.
>