I understand that you must restrict users to being a member of a single group when it comes to how users interract with the platform (to provide predictable user behavior), but if there was another group-type that users could be a member of many groups, these used only for providing access to shares/drops. Feature-group = groups that give users permission to use certain features, set authentication method, file size restrictions etc. These are the groups that exist now. Access group = groups that are only added to shares and drops. Can have users assigned by LDAP group, users can belong to many groups. Optional = Access groups can be given a "deny" attribute on a share or drop, so all users of the platform can access a share except "casuals-access-group"