In the context of permissions think in Roles instead of UserGroups

[subotic]

The current behavior should not change.

• knora-base:User can be part of a knora-base:UserGroup
• knora-admin:Role represents a role giving the holder certain permissions (knora-admin:Permission), which need to be defined separately
• knora-admin:Role can be attached to knora-base:User and knora-base:UserGroup

The user's final permission is the sum of all roles and the permissions attached to each role.

The permission string knora-base:hasPermissions "M knora-base:ProjectMember" on a resource would thus have the meaning: award the permission M to the ProjectMember role.

Related issues:

• #679