I need a group of users to be able to view every post of a custom post type (called a directory, in my case), but only edit their own group's post. The two options I've come up with are either not to give edit_others_directories, but allow it in specific cases, or to give edit_others_directories capabilities, and deny it in nearly every case.
The first option, disallowing the capability but overriding it in special cases, doesn't appear to do anything. No one has the ability to edit anything. The second option, allowing the capability but denying it in special cases is a little more peculiar. Denying "Read" and "List" actions work fine. Denying "Edit" or "Delete" actions only remove those links from custom post backend list, but doesn't stop the user from clicking on the title to edit, or deleting the post once they're in edit mode.
Gif of the odd behavior in the backend
If I switch the custom post type to use the same capabilities as a normal post, the policy will correctly disallow editing, deleting, and publishing, though even then I can't find a way to grant access to one post to someone who would otherwise not have the capability.