Is it possible to have dataset-level access restrictions for members in the same organization in CKAN?
In my case, we have members that are part of the same real-world organization and should all have their access to data managed by the same person, but have different permissions as to who can and cannot access certain data sets. Eg. we have a Organization of 3 users (based on how the project is set up in real life), and 5 datasets, but one of the users only has legal permission to access (or even see the metadata of) one of the datasets.
Is there any way in CKAN to have members of the same org have different visibility of datasets therein (trying to avoid actually creating multiple organization objects that the same data admin will have to manage between or is this the conventional method for this situation)?
For a vanilla CKAN implementation permissions are managed via the organizations that own each dataset as you noted. The default permission system can be modified via an extension and there are quite a few that exist although I am unsure if any match your request. You could check these out as potential solutions or an example from which to build your own:
https://github.com/NaturalHistoryMuseum/ckanext-userdatasets