Jason,
Can you tell me why you need to know how the user gets the role? It should be transparent in your design. I have designed a shared security framework for all applications in the company. Every time a developer came to me and ask this question, I knew he/she had a bad design. Because a Role is a Role. It doesn't matter how the user gets the Role. If you need act differently by how the user gets the Role, you may need define a different Role.
Richard.
