why none global access organization user can see Global Access Level in OroCommerce Enterprise edition?

[videni]

I tried OroCommerce Enterprise edition to test its multiple organization feature, I create an ACME organization with business unit named acme-bu, the ACME organization is not set with global access, also create a user under this BU, give this user the system-wide role Administrator. then I login with this user, try to create role, the user can set the access level of Account entity to Global, this is what I expected. however,

I copy this system-wide role Administrator, set the organization property of the new copied role to ACME, and change its access level to Organization for Account entity, now try to create role again, the user still can set global access level for Account entity, shouldn't the user can only set global access level for this situation?

those system-wide roles are visible to all organizations, most of those roles have Global access level to entities, seems it implies a user from none global access organization who has system-wide role can also change the data of the whole system, apparently , this is not the case.

[yshyshkin]

Hello @videni .

This is known issue and we're planning to fix it at OroCommerce 3.2.

But even if back office user will set Global level e.g. for Account for some role, and then grant this role to some person that belongs to not global organization, then this person still will be able to see Accounts only from one assigned organization. So this is UX/UI issue, but not a security issue.

[videni]

@yshyshkin, thanks, good to know.