So, a user who is package admin and can access only rules of a particular category gets a permission error when he tries to access an asset that is assigned to a category (in this case no category) that this user should not have access - sounds good to me - or am I missing something?

Let me summarize the problem:

I have a user called "pawc" (packageadminwithcategory) which is
- package admin for package "p"
- analyst for category "c"

and a user called "panc" (packageadminnocategory) which is package admin for package "p"

I have an asset called a1 in "p" with category "c"
I have an asset called a2 in "p" without any categories assigned

User "panc" can access both assets, user "pawc" can only access a1 and cannot access a2.

IMHO that works as expected, right? User "pawc" is limited to the package "p" but is also limited to a particular group of rules which are assigned to the "c" category.

But the package Admin can't access the rule with "no category" -- so why even have a package admin right?  

Which package admin? "073678" ? IMHO that's fine, because this is an admin who is limited with the analyst role to particular rules - so as a package admin he still can perform all the tasks a package admin is allowed to do (build pkg, create snapshots, etc) - that's what the package admin role is for.

However he can only access rules which are assigned to the UWReporting, UWReporting/UWRMapping and UWReporting/UWRProviderSection categories.

Rules assigned to other categories and also not assigned to any categories are out of sight for this guy, even he has package admin rights... these right are limited because of the additional analyst role.

I agree it may be functioning as designed, the design is however very limited and kind of broken.  It doesn't allow for separation.  You must have full power over all rules with a category or no power.  It means that someone in NY editing a rule in the "billing" category has to have permission to dink with rules in the "billing" category for FL.   its not possible to separate this in any sensible way.  So the design is kind of limited.  It ought to be ACLs + inheritance (more like NTFS permissions), instead its like unix filesystem permissions but with no umask, groups or ownership.  

changed to feature request (aka "a more logical security model")

Link: Added: This issue depends GUVNOR-537

This has been resolved on trunk, here is how it works now:

Package type users (package.admin, package.developer, pacakge.readonly) can only access packages. This means if a user only has package type rules, he/she will see no categories under the category navigator ("Browse" -> "Assets" ->"By Category").

Analyst type users (Analyst, Analyst.readonly) can only access categories. This means if a user only has analyst type rules, he/she will see no packages under the package navigator.  ("Knowledge Bases" -> "Packages").

For a particular asset, the user can access this asset if one of user's permission allows. 

Writer: Added: Darrin

Release Notes Docs Status: Added: Not Yet Documented

Release Notes Text: Added: test

Release Notes Text: Removed: test 

Labels: Removed: rn-dmison rn-open Added: rn-dlesage rn-done-resolved

Release Notes Docs Status: Removed: Not Yet Documented Added: Documented as Resolved Issue
Writer: Removed: Darrin Added: dlesage
Release Notes Text: Added: https://issues.jboss.org/browse/GUVNOR-537

Package security has been redesigned.  Previously, a user could not access individual rules without permission to access all of the ones in an entire category.  Now, package users can only access packages. They are not able to see categories in the Category Navigator.

Analysts can now only access categories. If they only have access to analyst rules, they will not be able to see packages in the Package Navigator.