"I think it is a good idea to also be able to grant permission by object type, so the concepts are complementary."
I inteded this as a solution to your originally stated problem, though, so I see them as two possible solutions to the same problem.
In my proposal, you could grant "admin" on objects of type "news_item" on a subsite, and it would cascade to all specific news_item package instances as usual, and thus be scoped to both the subsite (or wherever you decide to grant it in the containment hierarchy currently implemented by context_id) *and* it will also let you scope to specific object types.
If you do the "object type proxy object" and grant permissions on that, then you'd be granting the permission site-wide, which, to me, doesn't really cut it -- I want to be able to host multiple separate sites on one instance/DB for ease of maintenance.
I do see that your proposal works with the existing permissions system, whereas mine proposes to make a change to that existing system to fulfill a requirement, which has surfaced time and again.
I specifically am not very hot on the thought of having packages do this automatically, so a default install will have a group per application, and maybe even a group per application per subsite. Or maybe even more? What if you want to grant "write" or "create" or "read" or some other privilege? Then you'll want to have a "News Readers", "News Creators", "News Writers", and "News Administrators" groups for each application x subsite on your site. Was that what you were thinking?
/Lars
