Dealing with multiple roles

Interesting; this is a use case I've never considered. I don't know of any access control module that would do that out of the box. (One might exist, but I didn't find it in a quick search.) I think the easiest option would be to automatically grant all your generic authenticated users one role--say, "non-member"--and then automatically remove that role when they become a "member." That way, anonymous and "non-member" could have Allow for that term while "member" had Deny.

You could probably use Rules or custom code to accomplish this. There's also the Auto Assign Role module (though I don't know if that module also handles removing roles).

I am having issues with multiple roles and multiple taxonomy terms. A use case:

Users are teachers at a high school. Each user has two roles, one to describe grade level (e.g. 9, 10, etc.) and one to describe subject (e.g. science, math, history)

For example,
User: Grade, Subject
A: 9, math
B: 9, science
C: 9, history
D: 10, math
E: 10, science
F: 10, history
G: 11, math
H: 11, science
I: 11, history

Postings have a taxonomy term describing the relevant grade level and subject (same as the user roles).
More than one grade level or subject may be selected.

I want to be able to limit access by requiring the user's subject-role AND grade-role match the taxonomy terms.

Taxonomy terms -> Users with access
9, math -> A
9,10,11, math -> A, D, G
9, 10, math, science -> A, B, D, E

If I allow users with matching subjects and allow users with matching grade-levels, I am only requiring subject OR grade to match (because "Allow" overrides "Deny" across roles). Is there any way to accomplish an AND match?

same logical problem here!

HELP!

I have a similar set up but it seems to be working, I assumed the "allow overrides deny" process applies to multiple roles not multiple taxonomies?

In my set up (I'm a newbie and still testing) I have a taxonomy for school names and a taxonomy for subjects.

Each school gets its own role (School A, School B etc)

The taxonomy for subjects is common across all schools, the taxonomy for schools is unique for each.

For example:

Role School A has access rights to Finance and School A in the taxonomy lists
Role School B has access rights to Finance and School B in the taxonomy lists.

If a node is created with Finance and School A selected from taxonomies it CANNOT be seen by role School B.
If a node is created with Finance and School B selected from taxonomies it CANNOT be seen by role School A.
If a node is created with Finance and ALL Schools selected from taxonomies it CAN be seen by both roles.

I have expanded this concept further by adding roles that can see all schools data under a single subject but nothing under others to cater for central education authority teams. As an added benefit the menus even disappear if the role has no access which cleans up the interface for users!

Today I implemented the WEBFM module and a .htaccess file to restrict access to files attached to the restricted nodes. Again this seems to be working too

Just a shame there are no plans to port to D7 at the moment as I feel like I'm stuck using an old version of the system.

edit - just reread the post above and realised I miss-understood slightly. I think to do it that way you would have to create a role for each subject/grade pair which will be really cumbersome.

Alternative way may be to check out the views module which will let you design dynamic pages or blocks based on parameters such as users role and/or passed arguments. Security may still be an issue but it would be give you the interface you need for users.