ACL has open-access enabled by default. This means that metacards are either R/W or not R/W. We want finer grained access control downstream (and upstream) to enable R/W explicitly and separately so they are treated as mutually exclusive permission sets.
This will enable an owner of a metacard to give access to another user to read, but that read permission should not necessarily imply a write permission (which is the default behavior now). The only people that should be capable of writing to the metacard will be the access-administrators, owners and those who reflect having a new security attribute that enables write perms explicitly.
This will involve modifying the access plugin, policy plugin, policy extension and ingest plugin to account for this logical shift in the way we are handling permission sets. This will also require an update to the unit tests and possible itests.