Permissions can be handled with capability systems. Keyhive [0] is the furthest along on this. I've also made my own prototype [1] showing how certificate capabilities can be composed with CRDTs.

[0] https://www.inkandswitch.com/keyhive/notebook/

[1] https://spritely.institute/news/composing-capability-securit...