I have an issue with the employed prioritization of access modifiers (read/write, read, and deny).
Currently, deny has highest priority, i.e. if a user is in a group that has no access to a folder but the user is individually granted access to it, the user will not be granted access by the system unless he or she is removed from the group or the group is also granted access to the folder. Similarly, if we have several groups with distinct members (e.g., reflecting workgroups) and another group incorporating one head of each workgroup with certain access privileges, we would have to remove the heads from the workgroups in order for their privileges to be applied (unless the privilege is an elevation from read to read/write) - otherwise the deny access setting of the respecting workgroups would counteract the access within the head group.
This renders groups almost unuseable.
Consequently I would urge to change the priorization queue from
deny > read/write > read
read/write > read > deny