I wouldn't go so far to say that my solution was necessary because of problems with the permissions/object model. Permissions apply to individual objects, or if attributes were objects, they would apply to individual attributes. Roles apply to object types. In most applications, except workflow, roles are implicitly defined by the ui. The UI gives meaning to the permissions. You can add privileges and subprivileges all day long, but that doesn't do anything about defining a role. A role exists before individual objects are created and continues to exist independent of individual objects. But when you remove an object, you have to remove permissions first.