Several types of user roles are foreseen:
A user can be one, more or all of these roles at the same time.
Additionally, a user can only delete objects he himself have created. And in the case of files, only if the envelope is not released.
There are six permissions:
Add Collections, which is given to the collection administrator
Change Collections, which is given to "owner". Thereby the collection administrator can only modify the collections he has created.
Add Envelopes, which is given to the "reporter". This allows people to create envelopes. If you have the right to create an envelope you also have the right to add files into it. If there are certain parts of the hierarchy that a reporter should be restricted to, then give him the permission as a local role, or create a user folder on that level.
Change Envelopes. Give this permission to "owner" to let a "reporter" fill his own envelopes or give the permission to "reporter" to let all reporters modify all envelopes.
Delete Objects. Typically give this permission to "owner" and mayby "release-coordinator" or "collection administrator".
Release Envelopes. Can be given to "owner", "reporter" or some other class of users.