Per docs 
user_role = !reg/org.estatio.api,\
admin_role = adm/*
then a user with both user_role and admin_role should have access to everything, because the two vetos in the "reg" group do not veto the permission provided in the "adm" group.
Tracking this down showed the issue to be a reliance on equals() implementation in IsisPermission.