This was originally reported by Jeremy Ford:

<quote>
I have a group G and a role R. A user is assigned to group G and role R,
but they are not in the Jetspeed group. I have a security entry stating
allow all actions for role R.

When I try to view a psml with the security reference, the user cannot see
the psml. The reason is that the check in BaseSecurityEntry checks the
grouprole access map. The access map was loaded with the default Jetspeed
group because the group was not defined in the security entry.

I would expect that the group role check would check all groups for the role
that I'm looking for.

So, in allowsGroupRole it would go something like:

allow = isInAllowMap(allowMap, GROUP_ROLE_MAP, group+role, ALL_GROUP_ROLES);

if(!allow)
allow = isInAllowMap(allowMap, GROUP_ROLE_MAP, ALL_GROUPS+role,
ALL_GROUP_ROLES);

if(!allow)
allow = isInAllowMap(allowMap, GROUP_ROLE_MAP, group+ALL_ROLES,
ALL_GROUP_ROLES);

</quote>