• Roles group permissions for realms

• Actors (users or visitors) are authorized for single role

• ANONYMOUS granted to unauthenticated users

• USER granted to authenticated users without explicit RealmUser record

• No explicit ordering; ADMINISTRATOR can have fewer permissions than GUEST

• Yet role names imply ordering, e.g., each realm must have at least one ADMINISTRATOR, which is granted all permissions

• Bivio::Auth::Role is a non-delegated enumerated type

Notes:

Roles identify a collection of permissions for a realm. All actors are granted a role, whether they are authenticated users or not. bOP does not support multiple roles per actor (at this time). Realms and users may be changed during a single task execution ( set_realm and set_user) and the role changes along with the realm and/or user.

Unauthenticated users (visitors) are granted the ANONYMOUS role until they are authenticated. Authenticated users are granted the USER role if the particular (Realm, User) tuple is not found in the RealmUser table. Like transient permissions, bOP differentiates between ANONYMOUS and USER to allow global behavioral differences between authentication states that would otherwise be hard to control.

Roles are unordered. However, an ADMINISTRATOR must exist for all realms, and this implies an ordering. The explicit ordering of the enumerated type implies an ordering. The implied ordering is ANONYMOUS (least privileged), USER, WITHDRAWN, GUEST, MEMBER, ACCOUNTANT, and ADMINISTRATOR (most privileged).

Unlike other types, Bivio::Auth::Role is non-delegatable. This will probably change in the future as the need arises.