The resource root specifications and class specifications should be allowed to modify the overall permission set.

Need to resolve: how do permissions on classes interact with permissions on resources, and likewise for resources versus the module itself?

Options:

1. Child (class/resource) permissions replace parent (resource/module) permissions
2. Child permissions extend (add to/unioned to) parent permissions
3. Child permissions restrict (are intersected with) parent permissions

I mostly lean towards #3 at present.