Hi Isabel,
I've run a couple tests now, and have not been able to reproduce the issue you report, unfortunately. I tested across two different instances - both are a bit later than yours (one was a development branch that would lead to the 2.7.0 release, though the internal schema was still at 2.6.0-192; the other was a stable 2.7.1-192 version), however, in reviewing the intervening release notes, I don't see any notable changes to the permissions module or to users/groups.
In any case, using the data found in our demo site and
this particular hierarchical description as the basis for my tests, here is how i configured the permissions for an authenticated user (test1) who was not part of any user groups:
The "Passports and Travel Documents" series has both Files and Items nested beneath it. With the above configuration, I was able to edit that series and all of its descendants, but not any of the other records in the hierarchy, as I expected. This held up in both test instances. I haven't done it myself, but I suspect you could also recreate this experiment in our 2.7.3
public demo site.
Does your site have any further customizations? Are you applying many different custom per-description rules to each user, or just a couple? How many users are getting these custom permissions? I'm trying to determine what might be the important differences between my test instances and your production site. Though I don't think it will necessarily help (since I didn't find any issue tickets directly related to permissions - though I could have missed some!), is upgrading to a more recent version soon an option?
As I believe you will know by now, AtoM's permissions module does have some known issues, and the way it handles inheritance-based permissions adds a lot of complexity and can produce some strange results. For further details on some of the known issues with the permissions module (including some links to some known bugs), see some of our previous responses on this topic in the forum, such as:
Sorry this is not much help, but perhaps with more information we can narrow down the cause.