I've configured a Task which contains a single Operation. The Task has no authorization rule assigned to it but the contained Operation does. Here's an example:
SalesPage.aspx (The named task)
|_______ SalesPageRefund (The named operation contained within the task)
This is basically attempting to model a scenario where if someone has the ability to perform a refund in a web page called SalesPage.aspx then that person should implicitly / automatically also get access to the parent Task.
Unfortunately this doesn't appear to be the case or perhaps I've got something configured wrong. When I run a CheckAccess test for a given user with this setup I see:
SalesPage.aspx - (NEUTRAL)
|_______ SalesPageRefund - (ALLOW)
I'm hoping that authorization to the SalesPage.aspx task will inherit up from the contained SalesPageRefund operation - and when I think about this scenario it makes sense to me: if a user has the ability to perform a specific action within a web page, then
that user also needs access to the page that contains this action.
Do I misunderstand something here? Thanks for any help,