Group access to edit job but only run for some users

[William Hargrove]

I'd like to get some feedback on a recent requirement.

I have a group setup with users as members.

Within the project context the group is used to give 'edit' access to a job (ie update, delete, run etc).

This was working fine but there is now a requirement to permit only 'run' access to jobs and not 'edit' access to certain users within the existing group. I would like to try and keep the existing group structure in place but add some 'exceptions' for specific users. ie. the group can edit, but users x and y can only run.

Is there a way I could achieve this with minimal change? I would like to avoid having to create separate can_edit and can_run groups.

If I were to create an acl scoped to a specific user which gives run access, and there is an acl scoped to the group (which contains the user) which gives edit access over jobs within the same project - which will win out?

Thanks, Will.