I just stumbled over a new Security restraint that I never noticed before. I had a user that had the role "user_admin" so they could do some standard admin stuff.

Now with the role, you have the "groups" module and in that, you can press "new". Here you put in your data and press save, unless you want to add a type.

Then this happens…

That was kind of a bummer. But my guess was some kind of ACL so I put on my superhero cape and started to debug security.

I was expecting a page with at least ONE red row with ACL to confirm that I was right on track, but this is what I got.

I see the "Security constrains prevent access to requested page". However, it is all green and after another look.

I can see that there is not any ACL at all. This should be your "red flag".

I remember the days when I took the sys admin course, going through ACL for the first time and it was VERY complex, and I never thought I would understand it.

Nevertheless, I got that if it could not find an ACL for the specific table, it go downwards to the wildcard one etc.

And I have this beautiful picture in my head

Now, there is a * ACL, but it requires me to have the role admin to get access. But I do not see any red rows in my debug…

It all boils down to the Security settings. Default it has this setting under system properties-> Security

Meaning that if it doesn't have any ACL at all, it will be deny...and it didn't have any.