Need to strike a balance, not only between security & usability, but between security and ease of administration; there probably won’t be dedicated security admin. person for a given organization - so ideally the security model would run itself, without the need for admins.
We also need to remember the chicken and egg problem: it’s going to be an uphill struggle to get people to enter data into the system - and arbitrary ‘security’ restrictions to editing/adding things is going to make that much worse.
In general, I would favour trust & accountability over restrictions.
This would involve granting users rights to edit things, and having Admin users who can do the granting.
Lets anyone edit anything, but keeps a detailed changelog of everything and lets anyone roll back or undo any change, too.
Could we liken this to collaboration instead, which is a term research institutions are familiar with?
Don’t think so.
We could probably have a hybrid model, that would work something like this:
Everything is like a wiki - i.e. it remembers history of all changes, roll-back etc... but you can only edit:
Also, have some Admin users who can edit anything in their organisation.
Not sure. In a Wiki system, you could just do it and they could roll-back if wrong; but this could be annoying. It might also feel wrong for someone else to be editing your profile. Maybe they can make edit’s, but they don’t get applied, just suggested to you, with a single click apply/ignore option? This would be complex to implement, unless you’re already using a wiki-style system, when it could probably re-use the built in revisions system to so this.