Having a finely adjustable security system makes IMHO always sense - but the majority of MODX users will never have the requirements to use the granularity. From a sysadmins point of view, it's necessary to provide group based security concept, not only a user based one. If you have a large amount of users and you have to change an elementary setting, you are f***ed.
Is it really useful, to have groups AND roles? Of course, you can build very big sites with lots of ressources and then it's good to have a groups and roles...ok. But in most cases you will need to have these different groups:
- Create/Edit Ressources
- Create/Edit/Publish Ressources
Even if you need to have 5 more groups for your site, it's still possible not to loose the overview, isn't it?
What I want to say is: Don't make it more complicated as it is!
IMHO, the easiest solution would be like this:
Create a group, add settings what members of the group are allowed to do, then add the group to a ressource and add users to the group, done.
Btw, a major difference from e.g. windows security concept is, that if one rule allows access and another rule restricts the access (user has both policies), the user has access the the ressource. Windows handles this more restrictive, access is forbidden.