'Create instance' permission does not resepect permissions for specific target

Pretty vanilla install, controller and three targets.
Test group, test user created on controller.

Test user is made part of the group.
Group is given explicit-allow for node-2, explicit-deny for every single other permission in ADS.
User can ony see instances on node-2 as expected.

Group is given ADS.InstanceManagement.CreateInstance) permission.
User can see instances on node-2, but can now see both nodes, and has a “New instance” button on both, and can successfully create instances on a node it has no visibility of managability of.

Is this the intended behaviour? It feels incorrect, and a big opportunity for issues.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.