If a user wants specific permissions for their project—for example with my usecase, I want anonymous users to be able to access a report named Logs but not others—a whole new role must be created, which can only be done by an administrator. This presents a severe restriction in flexibility and places extra responsibility on the admins to field such requests.

A solution to this is project roles, where a project defines its own roles and can assign them to the default role/users/groups, and to nested projects as well. Users can then self-service their own roles per their own needs and the needs of their project. A "role manager" role permission should also be added for this.

To restrict users from granting more permissions than the project owner/admin has allowed, a "master role" could be specified in the project configuration that prevents users from creating/updating roles with permissions that are not set on the master role. So, if "issue management" is not assigned to that role, and a user tries to assign it to a custom role, it will not be allowed. If such a config value were left unset, then all permissions could be granted.