We recently discovered an "intended behavior" that smells an awful lot like a bug to me.
Our intent is for users to be able to add issues to tasks assigned to them, but not add issues to projects themselves. We set up permissions in such a way as to provide this, but our users are still able to add issues to the projects.
We entered a ticket, and after three weeks of research Adobe provided this response:
"Our engineers were able to find that when a user has View access to a higher object (such as a program or portfolio), the system is designed to allow those users to enter in issues for projects and tasks. This design has been implemented for quite some time, but our documentation didn't reflect the described behavior. I have included the updated documentation below.
User <redacted> has View access to the portfolio of the project where he can add issues. The system will take those assigned rights (on the portfolio level) and it will not be overridden by the selection on the project level (marking for the user to not be able to add issues). In order to prohibit users from adding issues to projects or tasks, you will need to remove view access on the portfolio level."
So giving users VIEW access to a high-level object also grants them certain EDIT permissions on lower objects. This is a) not intuitive in any way and b) poor design.
There is currently no way to achieve our goal without removing view access to portfolios (which we want them to have). This "link" needs to be broken. If we want a group of users to have edit on an object type then we'll use the existing permissions structure to grant them that access.
