Also need to mention that the logic in your last picture is not true. System takes all PFCG roles which user has. Then it itterates through them trying to get business roles for the user. In other words, PFCG role in business role settings is used only as a selection criteria. It doesn't give the user its authorization.
↧