Please consider this as a feature request for a future release of Confluence.
Boolean operands on Space permissions would be awesome. E.g. setup a Space that people in the LDAP group STAFF and the LDAP group Biosciences were the only people that were able to view/edit/add/etc - otherwise I have to have a group for "Staff in Biosiences", "Staff in Engineering", "Staff in Computing", etc.
Another use would be to add exclusions to Space permission, e.g. I want everyone in the Biosciences group to have full permissions on a Space, but NOT the users in the "Students in Biosciences" group as they should just be able to view.
One of the major gripes (in general, not specifically Confluence) is that they HATE having to set up permissions in different applications for the same groups of users. We've gone some way in improving things by moving all of our Confluence group management to LDAP, but I think this functionality would make things even better.
Although we've moved all of our group management to LDAP I can see this being useful for people who are using confluence-groups and those that are using a mixture of confluence-groups and LDAP.
Boolean operands on group/user membership is phenomenally powerful and would put you miles ahead of anything else I've seen in terms of application permissions (and I'm not just talking wikis!!!).