Access rights are controlled not only via server config but also via creator and contributor field. It should be possible to revoce rights when a user leaves an organization or when an identity is compromised.