Joel,
THe model already supports this, although not in exactly the way you are thinking.
We have CREATE, and WRITE. Write corresponds to your EDIT privilge.
READ does not currently inherit from WRITE.
They way to group permissions without adding a new privilege to the hierarchy is to create a role and a corresponding relational_segment and grant the correct permissions to that relational_segment.
The problem is that this is not handled well in the user interface.
In an applicaiton UI the role of Administrator, Moderator, Editor can be shown the the administrator. The admin can then add a new user in one of these roles. Internally the user is aded the to the relational segment, probably as part of an application group for a particular package instance.
So is your idea to change the way permissions are handled in the user interface or the way they are handled in the code?
