In the general tasks section there are a couple of lines mentioning "Enforce Permissions" in web console and CLI - I would suggest there should be no mention on client side enforcement as that is just not enforcement - all of that needs to be on the server side.
What these clients do need is appropriate meta data to be returned to allow them to be able to still run intuitively against the server. The alternative is each client needs to be updated to understand the permissions model and act accordingly, the down side of this is now we need to maintain it in multiple locations with
This in turn implies to me that anything server side needs to be more than just enforcement i.e. performing an authorization check at the time of an attempt to access the model / execute an operation is the bare minimum - we potentially need to be able to go beyond this to pro-actively identify what can or can not be accessed.
As we have mentioned previously for any permissions schema to be secure it needs to be understandable, one possibility here is to look at ways to show the effect of the currently defined permissions scheme on the domain model. This could be something along the lines of generating a report which visualises the tree and highlights what can and can not be accessed by a specific user / role - alternatively social networks commonly have a view profile as option to see what others can see, this could be a mode to consider in the console.
Some of these items might be out of scope for this phase of development but just wanted to raise them so we can at least take them into account.