global and component access policies

[Mark Bean]

There is a global level access policy for 'access all policies' (view and
modify). These access policies apply to components (e.g. processor) as well
as the controller. Even if a user is explicitly excluded from the component
level access policy 'view/modify the policies', the user still has access
due to the global level policy.

Is this correct/desired behavior?

It seems to me the component level access policies should allow the ability
for a global level policy to be overridden for a given component(s).