It seems that One Data access permissions are derived from Catalog Item permissions.
I have a situation where a user group should only have read rights on Catalog Items within their domain but ful rights on One Data objects within that domain. This seems impossible?
This is for version 16.3.1