--- a/mod_compat_roles/mod_compat_roles.lua	Tue Nov 29 11:38:28 2022 +0000
+++ b/mod_compat_roles/mod_compat_roles.lua	Tue Nov 29 11:43:59 2022 +0000
@@ -31,6 +31,12 @@
 -- permissions[host][role_name][permission_name] = is_permitted
 local permissions = {};
 
+local role_inheritance = {
+	["prosody:operator"] = "prosody:admin";
+	["prosody:admin"] = "prosody:user";
+	["prosody:user"] = "prosody:restricted";
+};
+
 local function role_may(host, role_name, permission)
 	local host_roles = permissions[host];
 	if not host_roles then
@@ -40,7 +46,8 @@
 	if not role_permissions then
 		return false;
 	end
-	return not not permissions[role_name][permission];
+	local next_role = role_inheritance[role_name];
+	return not not permissions[role_name][permission] or (next_role and role_may(host, next_role, permission));
 end
 
 function moduleapi.may(self, action, context)