Either I am misunderstanding how the current Space/group based permissions work, or something is broken.
Here you can see that the “Credentials” space grants Editor level access to Users in the “MANAGER” group:
Here you can see that “Susan C” is a member of the “MANAGER” group:
So why can “Susan C” NOT open a Credentials entity? She can certainly see all the Credentials fields in this table view: