we have the following structure :

access
=> role
=> action

access is similiar to the typically used user_id for simple session based login stuff. role is a group of actions and actions are more or less fine grained permission definitions.
now how will actions be used? is the role just a collection of actions or does it act more like a namespace? i mean i could use actions as a unique id for specific tasks and reuse them in different roles or i could just define them where needed.
most examples given were more into the direction of treating roles as simple containers for actions. looking at this from the administration interface side would mean that we can't or shouldn't do too much magic for the role => actions relation. roles are dump containers which may or may not contain actions.

basic usage :

- add / edit / delete actions
* deleting actions with references from roles is allowed
* delete : delete all references by roles

- add / edit / delete roles
* deleting roles with assigned actions is allowed
* delete : delete all references by accesses
* delete : delete all references to actions

- add / edit / delete accesses
* deleting accesses with assigned roles is allowed
* delete will delete all references to roles

Sike