How to repeat: As rhqadmin, create a compatible group (i used Datasources). Create a role with all perms except "Configure". Add a user to the role and the compat group to the role. Log out and log in as that user. Go to the compat group config page, Edit, change one of the values, click save. The update succeeds. It should fail because the user doesn't have configure permission.
Jeff, I wasn't able to reproduce this. You said you gave the test role all perms except CONFIGURE. Did this include the MANAGE_INVENTORY global perm? If so, that would also implicitly grant all resource perms, including CONFIGURE. Note, r3400 adds better error messages for permission errors.
No MANAGE_INVENTORY wasn't checked, since that forces CONFIGURE on as well. If you have a test server, let me see if I can repro it there.
oh, i see the problem now. ips, i thought you were referring to "Manage security" role that enables the other roles
This bug was previously known as http://jira.rhq-project.org/browse/RHQ-1761