This note is in Hasura.RQL.DDL.Schema.Cache. It is referenced at:
Roles may have parent roles defined from which they can inherit permission and this is
called as roles inheritance. Roles which have parents can also be parents of other roles.
So, cycle in roles should be disallowed and this is done in the orderRoles function.
When the metadata contains a permission for a role for a entity, then it will override the inherited permission, if any.
Roles inheritance work differently for different features:
See note [Inherited roles architecture for read queries]
For mutation and remote schema permissions, an inherited role can only inherit permission from its parent roles when the relevant parts of the permissions are equal i.e. the non-relevant parts are discarded for the equality, for example, in two remote schema permissions the order of the fields in an Object type is discarded.
When an inherited role cannot inherit permission from its parents due to a conflict, then we mark the inherited role and the entity (remote schema or table) combination as inconsistent in the metadata.
Currently, actions and custom function permissions can be thought of as a boolean. Either a role has permission to the entity or it doesn’t, so in these cases there’s no possiblity of a conflict. An inherited role will have access to the action/function if any one of the parents have permission to access the action/function.