rw----: private group (admin can read)rwr---: collab. read-onlyrwra--: collab. read-annotate
r-----: andr-r---: strictly-read only; NO CHANGES. "Published" Note: we also need group-admin-only write Do we use another flag for that?ra----?rwrw--: collab. read-write (already possible in server) Allows non-group-admins to delete, etc.
------: Disabled group?rar---: Group can see; data is locked but annotatablerara--: Data is still locked but annotatable by group.
This would make the anonymous ("Public") user unnecessary, so perhaps not worth the effort.
rarar-: Everyone can see, group can annotaterarara: Everyone can see, anyone can annotaterwrara: as above, but I can modify my data.r-r-r-: ... etc ...rar-r-rwr-r-rwrwrarwrwrwrwrwrwrwrwrarwrwr-rwrararwrar-
In general, all broken due to "I have lower permissions then others who I trust less"
rwrarwrwr-rwrwr-rararwrwrarwrararwr-rararwrar-rwrar-rar-rwrwr-rwrar-rwr-r-rarwr-rarar-rar-r-r-rwr-r-rarwrarwrw--rwrw--rararwrwrarwrararw--rararwra--rwra--ra--rwrw--rwra--rw----rarw--rara--ra------rw----rarw--r-ra--r-r-rw--r-ra--r---rwr---rar---r---rwr---rar---r-rw--r-ra--r-r---r-------r-
It might be easier to read (though less familiar to Unix heads) to use only a single letter for each of owner, group and world:
W=read/write,A=read/annotate,R=read-only,-=nothing. After all, things like "-w-w-w" also make little sense here. If we also assume we want owner >= group >= world, then we have 20 unique combinations:WWWWWAWWRWW-WAAWARWA-WRRWR-W--AAAAARAA-ARRAR-A--RRRRR-R-----