> In the first situation every check for that role and action is denied, > in the second every check is allowed.
Actually that should read: in the first situation all roles for that action are denied, in the second all roles for that action are allowed. Now this is easily corrected so both operations work the same but still not as one might expect, namely that only the role used in the unauthorize is denied. Maurice
