the idea is that you use relations to represent that a role can or cannot do something, and then you add a role to a permission computation either by making the permission walk go through the role or by using the

&

intersection operator to include the role in the calculation