The PermissionMapping defined in section 2.8.5.2 (line 641) currently specifies that each AllowableAction is mapped to exactly one permission.

This works OK in the case where a repository is only supporting the basic CMIS permissions (where there's clearly no interaction between read & delete), but not as well for scenarios where the repository has exposed custom permissions (e.g. compound permissions like "contribute" and "manage" – which may map to "role definitions" in the underlying repository implementation). In those cases, there's no way to express that to perform action Foo, the user needs one or more of the following permissions (contribute, manage).