- Role: a named bundle of responsibilities (editor, admin, member)

- Group: a scope or context (org, team, project, publication)

- Permission / Capability (capability preferred in code): a boolean fact about
  allowed behavior
  

## tips

- In the database, capabilities are boolean values.  Their names should be
  verb-subject.  Don't include `can` and definitely do not include `cannot`.
  
  ✔️ `edit_post`  
  ❌ `cannot_remove_comment`

- The capabilities table is deliberately flat.  If you need to group them, use
  `.` as a delimiter and sort and filter accordingly in queries and in your
  UI.  
  ✔️ `blog.edit_post`  
  ✔️ `blog.moderate_comment`  
  or  
  ✔️ `blog.post.edit`  
  ✔️ `blog.post.delete`  
  ✔️ `blog.comment.moderate`  
  ✔️ `blog.comment.edit`  
  are all fine.