I'd like to get some feedback on a recent requirement.
I have a group setup with users as members.
Within the project context the group is used to give 'edit' access to a job (ie update, delete, run etc).
This was working fine but there is now a requirement to permit only 'run' access to jobs and not 'edit' access to certain users within the existing group. I would like to try and keep the existing group structure in place but add some 'exceptions' for specific users. ie. the group can edit, but users x and y can only run.
Is there a way I could achieve this with minimal change? I would like to avoid having to create separate can_edit and can_run groups.
If I were to create an acl scoped to a specific user which gives run access, and there is an acl scoped to the group (which contains the user) which gives edit access over jobs within the same project - which will win out?