It's not that. I will try to explain further.
The priority is applicable only within a single right, and the common user permissions are a union of the permissions of the roles the user belongs to.
The main rule is that Deny
permission for a specific right has a higher priority than Allow
permission for the same right, i.e. if you have a role 'Approvers' with Approve
right set to Allow
and a role 'Editors' with Approve
, the users which are belong to the both roles, won't have Approve permission.
The 'owner' role is an exception of this rule, its Allow permission is with higher priority than Deny of the other roles.
As for the scenario you mentioned:
Lets say that Approve
right is not set for the 'owner' role, but you have an 'Approvers' role with Allow Approve
. Alice belongs to 'Approvers' role, but Bob - not. If Alice create a page, she will be able to publish it, even she is the creator (which can't Approve), because her actual permissions are a union of the 'owner' and 'Approvers' roles.
the Telerik team
Check out Telerik Trainer
, the state of the art learning tool for Telerik products.