We have MDS 2012 in which we are using derived hierarchies to manage call center data. I have set up permissions at the highest parent level so that uses only have access to modify their centers, but have read only on the others so they can see other parts of the hierarchy.
Our users are testing and found they can move objects from parents where they have access to parents where they do not have access.
For example:
Parent A
-Child A
-Child B
Parent B
-Child C
-Child D
User Bob has Update permissions on Parent A, Read-Only on Parent B. Bob can move child A from Parent A to Parent B, even though he has Read-Only on Parent B.
No validation errors occur from business rules, nor from permissions; however, once the model validates, Bob cannot edit Child A under Parent B as it is now Read-Only. We do not want users to be able to move children across parents for which they do not have update access.
How to I fix this?