A given principal can play multiple roles at the same time. So long as those selected roles are allowed to co-exist (i.e., they are not mutually disjoint roles), the principal can exercise the roles simultaneously, and thus obtain the union of privileges associated with them. To extend the above example, in a company intranet environment, access to a budget information file might be limited to the group named companyBudgetReviewers. A principal who has been assigned role of a Manager can access this information , due its privilege which contains the group membership. This group membership need not be explicitly assigned to the identity, but can just be associated with a role, in this case Manager. Similarly, the capability to make an offer to a candidate is automatic for a Manager as it contains the capability MakeAppointmentOffer having been granted by the company itself.
: Obtaining domain information from execution stack
