This is definitely possible. First, change /db-data's group to app-data:
sudo chgrp -R app-data /db-data
Now set up the permissions:
sudo chmod -R g+rwx /db-data
sudo chmod -R g-w /db-data/archived-data/*
sudo find /db-data/archived-data -type d -exec 'chmod' 'g+rwx' '{}' ';'
sudo chmod -R g+rwx /db-data gives app-data full permissions to /db-data and everything inside itsudo chmod -R g-w /db-data/archived-data/* removes app-data's write permissions for everything inside /db-data/archived-data- Finally,
sudo find /db-data/archived-data -type d -exec 'chmod' 'g+rwx' '{}' ';' restores app-data's write permissions for every directory in /db-data/archived-data (but not the files inside those directories), which is necessary to let app-data create and delete any files or directories inside /db-data/archived-data.
Now anyone in app-data will be able to read, execute, create, and delete files or directories in /db-data/archived-data (including sub-directories deeper than 1 level; i.e. app-data will be able to create and delete files in /db-data/archived-data/a/b/). If you don't want app-data to have read and/or execute permissions either, change the g-w in sudo chmod -R g-w /db-data/archived-data/* to g-rw for no read permissions, g-wx for no execute permissions, or g-rwx for no permissions at all (if you do this after running the find command, you will have to re-run it).
Finally, note that if a user in app-data creates a file or directory, he/she will be able to modify the file/directory that he/she created (but existing files will still be unmodifiable).
