Tom I agree with all your points except the one about checking for relational segment membership. If I use relational segments to define roles, I still grant permissions to the relational segment and check for the permission on a object for the party_id, usually [ad_conn user_id].
