- I have an employee resource: on that resource, you can do 4 actions view, promote, transfer, and fire. - There are multiple departments and each department provides permission for different actions to its manager role. For example in one department manager can fire an employee and in another department, the manager can't. I am okay to create different manager roles for each department, for example, Dept1_manager - How can I model it so that when a new department comes up and ask for a role with a specific combination of permission for a manager role, I don't need to change the employee definition? I basically want to decouple the employee definition and manager role definition.