the concept is that it's separating "what permission" from "what object" for the purposes of allowing m2m between roles and permission sets. i'm still a n00b when it comes to the schema language, so i'm having trouble expressing these ideas - the general concept is that I want to be able to express "can a user do a thing on an object" as "does a user have a role attached to the object" and "is that role attached to an individual permission that allows them to do a thing." my sense is that there needs to be an intersection somewhere, but i'm not sure whether it'd be on the object (with a somewhat circuitous path back to the individual permission) or on the role itself. i can also just go and take some time to bash on it a bit more and come back with a more specific question.