One bit of feedback for a permission scheme that we've seen that goes beyond those listed above is a desire to restrict based on server groups. A rough thought on a simple expansion of the basic roles we create is to allow creation of a custom role that's based on one of our standard ones but is limited to a particular server group(s).
<custom-role base-role="operator">
<server-group name="groupA"/>
<server-group name="groupB"/>
</custom-role>