A default Alfresco Share site provides a security-model based on four groups which have one set of permissions assigned : Manager, Collaborator, Contributor and Consumer. Managers assign people and (global) groups to one of these groups. This model makes the following restrictions:
Each site-user is at least associated with one of the four groups available for access permission assignment
Only the administrator can create global groups which may introduce further complexity.
The Contentreich Alfresco add-on Site Groups can be used as an alternative to the standard site groups functionality with regards to access permission for all or a particular set of sites hosted by the repository. It offers:
Arbitrary site-local groups managed by site-managers
Additional assigment of permissions to the site-local groups
Assignment of people to site-local groups before invitations are accepted
In the context of access permissions, it is important to understand that access permission is granted and there is no explicit denying. Denial is equivalent of not granting access.