Reviewing some NIST documents, its core RBAC definition supposes that permissions are relations of operations with
objects.

http://www2.informatik.hu-berlin.de/Forschung_Lehre/algorithmenII/Lehre/WS2003-2004/Sem_Security/05RBAC/html/RBAC%20-%20
paper_html_m5fb2d72f.png

It would be nice to have the same in ActiveRBAC so that we could define 'scope of role'.