I should be able to debug the Permissions for a given Person or Role

Summary: Chad suggests: "start working on a simple drop in piece of QL that generates some permissions reports so owners can debug what's going on with the overlapping sets of permissions at the different levels."

This is an intriguing idea. What would this look like in QL? It wants to take several parameters -- a permission, a Thing, and a Security Principal -- and should produce what the effective permission is, and more importantly why that value is the result. In principle, I don't think this is especially complex: it just needs to walk up the tree the way that AccessControl does. So work it through, and put it into Recipes.

Eric suggests a tree-structured look and feel, which makes sense. You'd select a specific Security Principal, and it would show all of the Things in this Space in the usual tree format. I suspect that Who Can Read would be represented by greying out non-readable Things; possibly the other permissions would be represented by icons?