A More Complex Example
To expand even more on the node-update example with added document permissions, you could have roles with both protected paths and document permissions.
Say you have a document with these nodes:
<foo> <bar> <baz>
At the document level, there are these permissions:
("role1", "read"), ("role1", "node-update")
("role2", "read"), ("role2", "node-update")
("role3", "read"), ("role3", "update")
At the element level, there are these permissions for protected paths:
<foo>, ("role1", "read"), ("role1", "node-update")
<bar>, ("role2", "read"), ("role2", "node-update")
In this example,
role1cannot update (or override)<bar>because at the element levelrole2has<bar>protected path permissions.role3can override everything because at the document level it hasupdatecapability but can only read<baz>which has no protected paths.