I'm sure this has been asked before, but because I think it seriously needs to be changed:

Why the hell would you guys use a restrictive model for roles rather than additive??

Companies are built in a heirarchical fashion, which means that people higher in the company have greater permissions and authority to do things. A restrictive model for role-based security and permissions is completely contradictory to that. Can someone please help me understand why it was done this way and why it has not been changed?

So far as I can tell, the only way to accomplish the correct additive type model with a restrictive model is to create a role for every single job and then create completely (or nearly completely) unrestricted roles as psuedo-groups. I'm still testing this theory out, so it may not even function properly that way. It's a management nightmare to say the least.

And if no one is going to change it, where is the security check in the code that performs the restrictive model check? If I know where to look, I'll change it myself and provide the code. As it is I looked once in 4.5.x and couldn't figure out a pinpoint place...at leats it wasn't obvious.