Is it possible to set alternate permissions on variations within content fragments? In my workflow, the master needs to be a "read-only" version. Authors should be able to create and edit variations, but they can't change the master. I don't see ACLs in useradmin for the variations, just the CF itself. Is it possible to do this?
I'm not sure if this would work but you may try to restrict the "write" permissions via /crx/de 'Access Control' tab
Remove the "jcr:write" and "rep:write" permissions on the path where your CFs are stored for "original" node for specific user/group.
E.g. say you've a Cf at '/content/dam/<we-retail>/<some_path>/myfragment' then you'd add a new entry for a user/group (based on your requirements)
rep:glob as /content/dam/<we-retail>/<some_path>/myfragment/jcr:content/renditions/original where you'd add all relevant permissions except the write permissions. You may add a REGEX for the same based on your requirements. This way you'd not have the write permissions on the original (master) version of CF but all other nodes including variations.