During submission the item derives some basic access rights from the
collections settings, especially
Setting DEFAULT_BITSTREAM_READ to a group will lead to
the appropriate READ rights on the bundles created and thus to the rights
for the individual bitstreams contained in these bundles.
These collection settings take only effect during submission. Once an item
is submitted they have no effect.
If you delete all bitstreams in a bundle, the bundle is automatically
deleted. So removing the content of an item (bitstreams in bundle ORIGINAL)
will delete the bundle ORIGINAL.
Adding a bitstream to an item with no bundle ORIGINAL, will first create
the bundle and then insert the bitstream to it. At this point the bundle
and the bitstream will get anonymous READ rights, whereas adding an
bitstream to an item which still got a bundle ORIGINAL will lead to the
bistream inheriting the rights of the bundle ORIGINAL.
This behaviour might lead folks with restricted materials into trouble,
when they e.g. replace bitstreams via admin UI by the action of first
deleting all bitstreams and then adding new. The newly added bitstreams
will have no access restrictions.