Pretty vanilla install, controller and three targets.
Test group, test user created on controller.
Test user is made part of the group.
Group is given explicit-allow for node-2, explicit-deny for every single other permission in ADS.
User can ony see instances on node-2 as expected.
Group is given ADS.InstanceManagement.CreateInstance) permission.
User can see instances on node-2, but can now see both nodes, and has a “New instance” button on both, and can successfully create instances on a node it has no visibility of managability of.
Is this the intended behaviour? It feels incorrect, and a big opportunity for issues.