Only limiting write permissions to certain paths?

[peteruithoven]

Question
I'd like to create a company wiki where all members of the group Users can view and edit all pages except for certain paths where I only want one group to edit it. For example /ops/... should only be editable by members of the Ops group.

What I've done so far:
Group Users has all global content permissions.
It has these same permissions for paths that starts with /
But I've denied all the write related permissions for paths that start with /ops

Group Ops has all the same global content permissions.
And it has page rules that allow write related permissions for paths that start with /ops

But if I understand the Users, Groups & Permissions docs correctly the deny will always win when the rules have the same specificity?

So what's the best permissions setup approach for this usecase?
It might also be a good extra example for the documentation?

Host Info (please complete the following information):
OS: Docker Container (Linux)
Wiki.js version: 2.4.107
Database engine: [e.g. postgres 9.7, mysql 5.7]
PostgreSQL: 11.6

[peteruithoven]

I recreated this situation locally to test this a bit better. It indeed worked as expected where with the above configuration someone in the Ops group can't edit something in /ops

But, I did found a workaround, I can make the Ops group's page rule slightly more specific by adding /.

One of the limitations of this workaround is that nobody can create an /ops page.