The documentation makes two different statements:
https://www.boundaryproject.io/docs/concepts/security/permissions#resource-table says Roles can be defined at Global, Org, and Project level
A role can only be defined within a project scope
The latter would seem untrue since the initial dev configuration creates roles for admin and anon at both the global and org level, and the documentation here walks you through creating roles at global scope https://www.boundaryproject.io/docs/installing/no-gen-resources#create-roles-to-manage-scopes
Another question I have is about inheritance. If I grant the ability to create hosts at an org level, should this flow down to projects? It doesn’t appear to in practice. So roles at the org and global layer only affect the ability to manage items at that layer? e.g. groups, users, orgs, and projects respectively?