1 pointHello @dvanetten, I can indeed reproduce the problem. We'll add a task to fix it asap and I'll update this thread to notify you once it's released. Thank you for the report and sorry for the inconveniences.
1 pointHi @tciz_plastic, the following blogpost explains you scenario: http://blog.plasticscm.com/2014/07/securing-plastic-scm-system.html The key is not to deny the permission, just disable it. Notice the "deny" permissions will prevail over the "granted" permission so if a user belong to multiple groups the "deny" will win. On the other hand, if the X permission is not granted and not denied the user will not be able to do the X operation, unless it inherits the ability from another group.
1 pointWell, you would need a license for the server to run, but the read-only operations will not consume an extra license spot. Anway, the same users from your production server will be accessing the second server, right? So you can use the same license file. If you need an extra read-only user, you will be able to use it without paying extra for it. Regards, Carlos.