Hydra's current authorization model accounts for user- and group-based permissions (what I am calling groups are sometimes in Hydra called "roles", such as in the RoleMapper class or hydra-role-management). Authorization data is stored in the repository (as rightsMetadata or policy-based defaultRights) and provides a simple set of permissions ("discover", "read", and "edit") which are applied atomically at the object level. Adding other kinds of permissions (such as the ability to add child objects to a parent) or ones that don't depend on repository data (such as the ability to create new objects) involves custom coding using the current authorization library (CanCan, or CanCanCan in hydra-head 7).
It would seem beneficial to the Hydra community and/or individual adopters to explore the possibility of a common approach to extending Hydra's native authorization API.