Fair enough as long as it was a deliberate choice. In practice, it seems the "one administrator to rule them all" will/should always have access to all policies - even all component policies.
Thanks for the response. -Mark On Fri, Feb 22, 2019 at 3:46 PM Matt Gilman <[email protected]> wrote: > Mark, > > You are correct that this behavior differs from the policies on the > components themselves. The behavior there always for overriding the allowed > users of an ancestor resource. The policies on the policies themselves are > inherited and not overridden. This is noted in the UI since the behavior is > different from how component policies override ancestor policies. This > choice was made since it allowed for folks to define an administrator for > all things and local/component level administrators. > > Matt > > On Fri, Feb 22, 2019 at 3:03 PM Mark Bean <[email protected]> wrote: > > > There is a global level access policy for 'access all policies' (view and > > modify). These access policies apply to components (e.g. processor) as > well > > as the controller. Even if a user is explicitly excluded from the > component > > level access policy 'view/modify the policies', the user still has access > > due to the global level policy. > > > > Is this correct/desired behavior? > > > > It seems to me the component level access policies should allow the > ability > > for a global level policy to be overridden for a given component(s). > > >
