I should be able to define a group that can create and edit only specific Models

(User Story, Closed -> Fixed, Priority: Critical, Test Status: Unit tested , Reported By Bad Link: Thing 3y284oe not found, )

Security

Summary: The existing mechanisms don't work for this: the Editor and Contributor Roles are too powerful, and you can't assign a Role in Who Can Edit Children.

The tentatively-correct solution is to:

Let the Owner define custom Roles.
Let the Owner give those custom Roles to members.
Check Roles when we are checking Thing and Model in hasPermission and canEdit.

Initially, we might just hack this. We define an additional list under Sharing for Custom Roles. We let you define a named Custom Role, but initially don't let you set permissions on it. We let you set Additional Roles in the user list for the Space. And we do the Role check in hasPermission.

Later, we would make this better. We'd unify Role-setting so that the standard and custom Roles used the same Set UI, maybe with some tweaks to always set one standard Role. We would let you specify the exact permissions in checkbox fashion when creating or editing a Role.