an ISOC use case
The Internet Society (ISOC) has chapters around the world as well as institutional members. They are creating a website where certain content and functionality will be limited to members. Members may be individuals from anywhere with no explicit affiliation, or they may be individuals at a variety of member institutions (commercial, research, and/or educational). The simplest use case here is that members of affiliated organisations would be able to visit the ISOC website with "basic member" rights automatically granted, without needing to be explicit members of ISOC. To access this protected content, visitors will either authenticate through Shibboleth back to their home institutions or through a local ID at the ISOC. Members may have different levels of access depending on their role - chapter heads will have access to their chapter roster, email lists, and other collaborative tools.
ISOC also wants to deploy a collaborative platform that will allow creation/management of working groups, along with tools/modules to support those groups: document management, mailing list management, chat channel, etc. However, it's important that participating individuals can have different permissions group-to-group. For instance, in one working group a member might be an Admin with create/edit/delete rights, but in another just a basic member with simple read-only rights. So roles would need to be managed not just at the site-wide macro level, but also within individual modules at the micro level.