Why are we having Can Add as a separate property ? why don't we have it in the permissions tabs along with other operations ?
and why do we have checkbox for can add again ?
I cannot tell you the reason why Aras uses a separate Can Add relationship. Integrating an 'add' option into permission of course sounds logical. But this design is used since the early days of Aras. I assume the reason for this design was based on requirements of the past.
And now hundreds of companies use Aras exactly which this design. Image what would happen if Aras change it? A few users would be very happy while the rest of the Aras world would turn into chaos.
The checkbox form my POV is a little admin help. Sometimes you want to prevent users from adding new items when update something in the system. Of course you can delete the Identities in can_add and later restore them. But when you use many identities in the relationship, it can happen that you forgot one when you restore them. With the checkbox you can simple tick identities out without having to spend too much additional time for documentation.
for me it does not seem to be so strange to split Can Add from the other privileges.
Let us have in mind, that every EXISTING Item points to exactly one permission - it does not make too much sense to assign to an Item, who would now have the right to create it - it IS already created.
Having the pointer to a permission per Item(!) allows for individual permissions, possibly changing during the life of an Item dependent on the maturity (status) or being varied by private permissions respectively an access change.
So the split of privileges allows for general control per ItemType (and optionally subclass) the creation of Items, but on a per Item base for the access to existing Items.