rw----
: private group (admin can read)rwr---
: collab. read-onlyrwra--
: collab. read-annotate
r-----
: andr-r---
: strictly-read only; NO CHANGES. "Published" Note: we also need group-admin-only write Do we use another flag for that?ra----
?rwrw--
: collab. read-write (already possible in server) Allows non-group-admins to delete, etc.
------
: Disabled group?rar---
: Group can see; data is locked but annotatablerara--
: Data is still locked but annotatable by group.
This would make the anonymous ("Public") user unnecessary, so perhaps not worth the effort.
rarar-
: Everyone can see, group can annotaterarara
: Everyone can see, anyone can annotaterwrara
: as above, but I can modify my data.r-r-r-
: ... etc ...rar-r-
rwr-r-
rwrwra
rwrwrw
rwrwrw
rwrwra
rwrwr-
rwrara
rwrar-
In general, all broken due to "I have lower permissions then others who I trust less"
rwrarw
rwr-rw
rwr-ra
rarwrw
rarwra
rarwr-
rararw
rar-rw
rar-ra
r-rwrw
r-rwra
r-rwr-
r-rarw
r-rara
r-rar-
r-r-rw
r-r-ra
rwrarw
rw--rw
rw--ra
rarwrw
rarwra
rarw--
rararw
ra--rw
ra--ra
--rwrw
--rwra
--rw--
--rarw
--rara
--ra--
----rw
----ra
rw--r-
ra--r-
r-rw--
r-ra--
r---rw
r---ra
r---r-
--rwr-
--rar-
--r-rw
--r-ra
--r-r-
--r---
----r-
It might be easier to read (though less familiar to Unix heads) to use only a single letter for each of owner, group and world:
W
=read/write,A
=read/annotate,R
=read-only,-
=nothing. After all, things like "-w-w-w" also make little sense here. If we also assume we want owner >= group >= world, then we have 20 unique combinations:WWW
WWA
WWR
WW-
WAA
WAR
WA-
WRR
WR-
W--
AAA
AAR
AA-
ARR
AR-
A--
RRR
RR-
R--
---