Hi surli,
Let me first clarify what I had understood from your question and particular use case, so we avoid any misunderstanding in my reply.
You have a UserA which is a member of GroupX.
You have at main WIKI level defined two rules:
- GroupX is allowed ADMIN right
- UserA is denied DELETE right
What really matters here in regard to the DELETE right, is the fact that at the same level, it is allowed to UserA by means of a group, but more importantly, it is disallowed to UserA explicitly. This will cause the application of the following policy:
- at the same level, a right assigned by means of a user gets priority over a right assigned by means of a group
Neither the inheritance policy, nor the tie resolution policy is involved here, since there is no inheritance, nor any tie. The right set on a user simply wins over the right set or implied by a group.
Therefore, and I have not checked if this is what really happens, but I am very confident it is so, I expect the UserA to be denied the deletion of documents.
This feature is made on purpose, since it allows managing rights by means of groups while keeping possible exceptions for a user. It only happens on the same level, and therefore is quite clear to understand, since it appears on the same screen, by opposition to the right inherited, which is much more difficult to understand.
Of course, depending on the right to consider, and the ADMIN right is definitely the poor example, it just prevent the user from deleting by mistake, but does not prevent him from changing its own rights if he really wants to achieve his goal.
I would not change anything, since I am certain this kind of use cases have a meaning in certain situations, and on the other hand, it cannot really hurt, since both rules are visible in the same screen. Also, never forget that the security module is extensible, and could be used for other rights than the base ones, and that you can also replace the right settler if you really need to. So it deserve to be made more general than any particular use case IMO.
Finally, your use case does not follow the common best practice which is to disallow rights by allowing them to others, and is therefore an advanced usage of the right policies. That’s the price to pay when you go advanced, it to understand the very details of the right policies.
Let me know if I have misunderstood your question.