Hmm, I totally didn't answer Tom's point about roles.
I see the difference here.
Joel is looking for a way to define which permissions as assigned as a role.
Tom and I have both stated that you can do this yourself, be building an application that grants the permissions to users with a certain relationship to a group, but there is no facility to define several permissions that go together to create a "role".
Joel seems to be advocating openacs sitewide role definitions instead of the current system where each application defines and grants its own permissions.