[fabian2k]

The reasoning about only allowing additive permission is something I've had pretty strong opinions, and it's nice to see that other people agree with this. Permissions gets incredibly complicated very fast even in the best case, and any additional complexity can easily confuse users.

Their use case feels a bit too micro-managed for my taste, but that is certainly a matter of opinion. And if their customers demand this, it's hard to convince them otherwise. My preference is to handle certain more subtle cases like their "only DNA design team can edit sequences, but Research team can edit metadata" as a convention, not a hard rule enforced by the application. And if you have a good history of changes, it still allows for transparency about who edited what.