if a host belongs to multiple groups and user has write access to one of those groups, but read-only or deny on other groups, user has no access to that host.

but if a maintenance period is created for the rw group, all hosts, including the ones user has no access to, are put into maintenance.

malicious or accidental maintenance could disrupt monitoring in a serious way.

might be hard to fix easily, as there is no information stored about who created the maintenance (as far as i know)