The Permissions module is a concern. It is cumbersome, unintuitive, and incomplete. Many permissions are hidden within individual modules rather than being centrally managed, making it extremely difficult to maintain a coherent and consistent permissions structure across the system.
What does not help is the weird split by user groups and security groups for users and the inability to assign one user to multiple groups.