I guess I am confused about roles and how they are interpreted. A quick check of the Zope Book didn't provide the answer. It would be nice if there were an index for the book. I've always thought of the roles as flags without an deeper semantics. But I am seeing some behavior that suggests I my model may be wrong. Are the standard roles (anonymous, authorized_user, manager) inclusive? By inclusive I mean that an authorized_user is also treated as an anonymous_user and that a manager is also anonymous and an authorized_user. Are user_defined roles inclusive? Or are they separate and distinct? If `wizard` is a user defined role, is it also an authorized_user for security purposes? I suspect the real answer here is "it depends upon the implementation". If that's the case, what is the best practice used in the Zope system.