The paper presents a coordination model that contains three active entities: actors, roles and coordinators. Actors abstract the system's functionalities; while roles and coordinators statically encapsulate coordination constraints and dynamically propagate these constraints among themselves and onto the actors. Software system's attack-tolerance and survivability in open hostile environments are enhanced through appropriate constraint propagations and constraint enforcements. The role represents a group of actors which share the same set of behaviors declared by the role. Coordination and coordination constraints in the model are categorized into two classes: inter-role coordination and intra-role coordination. The coordinators are responsible for inter-role coordination; while the roles are not only abstractions for a set of behaviors, but also responsible for coordinating the actors which share the same role. This setting implies that both the coordination constraints and coordination activities are decentralized and distributed among the coordinators and the roles. The decentralization not only shields the system from single point of failures, but also provides a foundation and posts for survivable feedback loops to be built upon. The survivable feedback loops presented in the model further restrains the contamination of faulty elements and protects the whole system from being broken down by single failures.