I found the following explanation in the doc for the news module illuminating, and unlike Press and some others the permissions granularity seems to work correctly for this module also. I would think that other application types might/would have requirements for similar permissions handling.
Permissions
With the ACS4 permissions model, the news administrator need no longer coincide with the site administrator. This need only be the case right after installation. The News application has a hierarchical set of permissions which can be assigned to any party as needed. The news root privilege is news_admin which comprises news_create, news_delete, and news_read.
By default, the news_admin permission inherits from the site-wide admin. The news_read permission is assigned to the public so that all users, including non-registered users, have access to /news/. By default, the news_create permission is assigned to registered users. However, they can only submit a news items, but not approve it. Approval requires news_admin privilege or can be set to take place automatically by setting the parameter ApprovalPolicy to 'open'. The news privileges can be changed in /permissions/ by the administrator on the /news/admin/index page. The needs of an individual site, e.g. sharing the news administration duties among several individuals, are thus covered.
This comes from
/doc/news/design.html on one of my servers.
Regards..
