In looking at granularity for AF contacts, contact groups, notifications and notification templates, I believe the following to be true:
Contact and Notification Contact Templates are maintained at the AF Server level and access can be granted/denied by identity
Notification Rules and Notification Rule templates are maintained at the AF Database level and access can be granted/denied by identify
HOWEVER, if an identity has access to an item such as contacts, that is access for ALL contacts; an individual contact for example cannot be 'owned' by one individual only and have read/write/edit access excluded for other users that have read/write/edit access to contacts in general.
Also, an identity can have read/write/edit access to contacts to update distribution lists, but does not necessarily have read/write/edit access to the notifications that use these lists. That is, they can add or remove an address from the contact, but not add or remove contact groups from the notification.
Can I get someone to confirm/deny/clarify my assumptions?