Today we still go somewhat deeper into the permissions issue:
Currently, it is not possible to have a team workspace with certain membership, and define a subdirectory that has restricted access.
A typical scenario is a team workspace for a department, and you would like to define a subdirectory restricted to a managerial group.
If you think you could also need this, please join in to suggest the following enhancment:
ER 9414428: ALLOW SUBGROUP DENY IN TEAMWORKSPACES PERMISSIONS
We are currently implementing laborious workarounds to implement this.
"Beehive administrators can easily set-up access control policies and apply them as needed to individual users, workspaces, user groups, departments, or enterprise wide" (cited from "Oracle Beehive: A Flexible Collaboration Platform for the Enterprise") - currently it's not so easy if you need to define advanced ACLs.