I personally tend to think the binary way (that is, one checkbox per permission) is the best approach for all users, making the three-way radio button an advanced option. I realise this is probably a rather conservative view, however...
That is in essence what SMF tried to do in 2.0 - by making deny permissions an optional extra, and by essentially making everything a binary choice by default. I'd argue that's even more confusing that having the three way switch just available by default.
That is, for each permission there was a value on screen. If course, taking 'disallow' out of the picture made the interface more intuitive to every user by just using a checkbox instead (since its value is now just binary).
Except it was never really binary in the first place, nor was it 'disallow' being taken out of the picture. Previously the choice was allow/disallow (binary) or allow/disallow/deny (tertiary), Essentially what I'm suggesting is *still* a tertiary system, but one that, with some UI hinting, should suggest the actual behaviour involved. Tick allow to allow it, tick deny to deny it from everywhere (aka never) and neither to do nothing with it.
Question: if you can tick both allow and deny, which would logically take precedence? What would you expect it to do if you selected both?
What I will note is that I looked around a bunch of systems and this seems the least unintuitive to me - as in there's no 'best' approach but only a series of 'less worse than...' approaches and this seems to me to be the least worst. The only variation I can think of is to present each permission as a dropdown (been there, done that, you'd be surprised how quickly that gets old)...
Mind you, there is one validity to dropdowns, and that's what I did in SimpleDesk, which was to align own/any in a dropdown, so a permission choice was No, Yes - Own, Yes - Any. Mind you in SD's case I didn't have any UI for denied.
Changing expected widget behaviour does not help in that respect.
To a point that depends on your expectation. See attached. It's the exact same mechanism, albeit tweaked slightly for other things and without the prior set of having to press Edit to actually configure it. (There is a sort of hierarchy involved. I expect to bring some of that in too.)
Mind you, just consider that it could have been so much worse than this. ;)
Just to clarify: if there are enough objections, I won't push forward with this. I'm aware that this is an important thing to get right and that what I have is still essentially experimental. It may be that it actually needs to be tried in a real environment to get a feel for how well it would really work.