Also I flushed the JMX and XWiki caches in order to avoid any caching issues, as the output of the “Check Security Cache”-Extension was too complex for the first sight.
My Questions:
Is my understanding correct that the disallow permission on the Global:XWikiAllGroup is stronger than the allow permission on the subwiki’s Local:XWikiAllGroup or is the config wrong at all?
Is there an alternative approach to achieve my goal beside granting the view right on the user level (that actually works)?
You don’t really need to use any “deny” right. What you need to do is set the “view, edit, comment” rights t the local XWikiAllGroup. This will be sufficient to deny global users access to the wiki.
Only pages which would then explicitely give rights to global users could be viewable.
Yes it’s the correct understanding. Disallowing is stronger than allow permission.
See up there. Unless you fear users would wrongly give right to global users in you wiki, you don’t need the disallow right… The standard allow right can be understood as
As long as one right is set for an area, only users (groups, individual users) can access the (wiki, space, page) with the specific (view, edit, comment) set
Most likely I messed up my test scenarios, because your described approach perfectly solves my problem. But I thought I had tested that already, causing me to explicitly deny the Global group the access.
Now the setup is absolutely straight forward and I also got a little more insight on how the permission system in XWiki works.