We've recently come to accept reader as one of the default roles.  However, one thing that is not clear to me is the intention:  is this designed to be the readonly set of operations that an admin can do, or the read only set of operations that a member can do?

Should we really have two read-only roles, one for each case?  Perhaps the admin-read-only should be called auditor, and then reader is for member only operations?