On groups, can they be structured to not have primary/secondary at all? IE just have a set of groups and people can be in none, some or all of them, depending on their permissions?
That way you can have a "public member" group who can see the public areas, then an "EVE member" with eve rights etc, and just assign people the groups as needed.
That's kinda what we have. You can have one primary group and as many secondary groups as you like. Thus, you're in Members by default (primary) and are in non, some or all secondary groups, depending on what you need. I think my error in setting up this structure, initially, is that I never wrote it down. It's now years old, potentially out of date and tricky to reinstate if it ever goes belly up.
I have an idea for a matrix, I'll straw man something and then see what you guys think.