Hi Miquel,
First, I would like to offer a word of warning about how you are attempting to configure the permissions. The short version is: AtoM's permissions module was first added over a decade ago (when the application's primary use case was small to medium archives, with simpler permissions needs), and unfortunately, while AtoM's user base has grown exponentially and the ways in which the community attempts to use it have multiplied, the permissions module has not received any significant overhaul. Additionally, AtoM was never designed to be a fully multi-tenanted system - the multi-repository functionality was added for ACCESS use cases, such as setting up a regional or national portal site; not having multiple different institutions edit and manage all their holdings in one application without being able to see the work of others.
Consequently, there are many known performance and scalability issues, as well as a number of bugs that are difficult to change without performing a full rewrite. This is particularly obvious when you start trying to add too many custom permissions. We'd like to do an overhaul, but it's a major piece of work - meaning that for Artefactual to take it on, we'd need community support, either in the form of community code contributions or development sponsorship. So far no one has been willing to fund the level of work necessary to truly address these issues.
The main way that this manifests is that: when you try to add too many different custom permissions, you start encountering bugs and performance issues. For a longer response on some of the known issues with the permissions module, see some of our previous responses on this topic in the forum, such as:
Now, with that warning in place, I will try to answer your question.
Please keep in mind that the Physical storage module (like most of the internal entities, such as accessions, taxonomies, donors, rightsholders, etc) are NOT designed to be multi-tenanted. You will be trying to use the permissions in an unconventional way and may encounter performance issues, bugs, and more.
The permissions for physical storage in AtoM also do not have a user interface, like archival description permissions. Instead, they are controlled by a number of configuration files that set access policies for user GROUPS (you cannot currently set permissions for individual users for these modules). You can read about how these security configuration files are structured, and how to edit them to add or change group permissions, here:
A bit further down the page are specifics for the Physical storage configuration file:
You can create custom groups in AtoM and then add those group names to the security configuration files, and it should work. Remember to clear the application cache and restart PHP-FPM after editing any configuration files. It will be up to you to experiment and see how you can configure things for your needs, and what side effects that may have.
As a general piece of advice: a bit of trust in your archivists (who probably don't have time or inclination to go snooping in other people's data anyway) and some general agreed upon policies and procedures (around access, but also around naming conventions in shared modules like storage, accessions, etc), etc can go a long way - and that might allow you to relax how strictly you are trying to limit permissions, resulting in a better user experience for everyone.
If this really remains a problem, then honestly people should be using separate AtoM installations.
Cheers,