Restrict member removal through ACLs
In some use-cases managers could be allowed to add users to a role/group but not to remove other users from it.
One suggestion was to add a «delete» right separated from the «write» right in the ACLs. One problem with this is it means managers can’t remove values they added themselves. Also we’ll need to migrate existing ACLs, and to decide what this «delete» right means for monovaluated attributes. Maybe an other solution would be to look into rights on the user to decide if it can be removed or not by a manager.