If a scoped admin role contains another scoped admin role, and that 2nd scoped admin role does not have "Application Administrator" checked, the user will not have the expected access to certain recordsDescriptionEven though a particular user may have a scoped admin role, as well as roles necessary to pass ACLs for a particular record, if that scoped admin role contains another scoped admin role, and that 2nd scoped admin role does not have "Application Administrator" checked, the user will not have the expected access to the record.Steps to Reproduce Activate the "Human Resources Scoped App: Core" pluginGive Abel Tuter the following roles: sn_hr_core_adminitilskill_adminuser_admin Impersonate Abel TuterNavigate to sys_user group, and open the "HR Admin" groupObserve the record is read-only, even though Abel Tuter has the "sn_hr_core_admin" role, as well as the roles required by this OOB sys_user_group "Write" ACL:http://<instance_name>/nav_to.do?uri=sys_security_acl.do?sys_id=8ba177f90a0a0b440043a5c91bdacd42Open sys_user_role record "sn_esign.admin", which is contained by "sn_hr_core_admin"App the "Application Administrator" field to the form, and check itImpersonate Abel Tuter again, and observe that he now has write access to the "HR Admin" group recordActivation of "Human Resources Scoped App: Core" also activates the "E-Signature" application, and the "sn_hr_core_admin" role contains the "sn_esign.admin" role.Workaround1. Go to role table and open sn_esign.admin2. Make sure the " Application Administrator" field as true and set assignable by field value as "sn_esign.admin"Related Problem: PRB1382457