> Is it the case that groups propagate "up" whereas roles propagate "down" for
> security purposes?
i believe it is the case that:
authorizations granted to groups always propagate to their members
(subgroups and users)
authorizations granted to roles can propagate to their subroles
(you may not always want propagation to preserve least privilege).
Not having propagation can be ok for roles, while it is not applicable for
groups.
When talking about identities, a user always connect as him/herself
(i.e., the subject you will have to check is always a minimal element of
the user-group hierarchy).
However, it is not so for roles: a user can activate a role which is
nonminimal in the role hierarchy.
In such a context authorization propagation when dealing with roles can
have an additional aspect: if a user is authorized to activate a role s/he
can also activate roles that are generalization of it.
-p