I am working on a configuration in a project that only one group is supposed to edit. In the configuration security setting, I grant that group Configuration Administrator role, then deny Edit Configuration permission for the whole Registered Users group. Turned out that group cannot edit that configuration either. How should I set this kind of security correctly, without having to deny permission for every user individually except that group?
Also I am wondering for configuration with no one has edit permission, how can an Admin user delete it? I had to clone all the other configurations in that project out, without copying over the security setting, then delete the whole project.
It is common for the more restrictive deny permissions to take precedence over allow permissions. This is the case with Continua.
By default the Users role, which is assigned to Registered Users, has no permissions. Note that this was changed in version v1.5.0.185 - previously Registered Users had full project and configuration permissions by default. If your database was upgraded from a version prior to v1.5.0.185 the old permissions will still remain.
I would recommend that you remove any permissions which are set on the Users role on the Administration -> Roles page and then create new groups for assigning permissions to any projects or configurations which require them. Use deny permissions sparingly and only to remove permissions for a single user or subset of users which already have access.
Thank you for reporting the second issue. If you have removed only edit permissions from a configuration, you will still have delete permissions and can delete from the last page of the project wizard page, on from the Edit menu when viewing the configuration. However, there does seem to be a issue if you were to deny all users both edit and delete permissions for a configuration. I think that the Administrator permission should be treated as a special case and override any denied permissions.
We’ll look into this in more detail and get a update out to deal with this issue soon.