...
Assuming a generic authorization model (user → has permission → object), maybe we don’t need groups (or rather, that object could be a study and it could be a group). But we should look at other systems to see what it buys us. I think that practically, it’s difficult to grant read permissions to a group without a grouping construct (I create a new study and the system has to figure out who should be able to see it…that’s not easy with overlapping associations).
...