Mark, You are correct that this behavior differs from the policies on the components themselves. The behavior there always for overriding the allowed users of an ancestor resource. The policies on the policies themselves are inherited and not overridden. This is noted in the UI since the behavior is different from how component policies override ancestor policies. This choice was made since it allowed for folks to define an administrator for all things and local/component level administrators.
Matt On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <[email protected]> wrote: > There is a global level access policy for 'access all policies' (view and > modify). These access policies apply to components (e.g. processor) as well > as the controller. Even if a user is explicitly excluded from the component > level access policy 'view/modify the policies', the user still has access > due to the global level policy. > > Is this correct/desired behavior? > > It seems to me the component level access policies should allow the ability > for a global level policy to be overridden for a given component(s). >
