Hi @lilim    Thanks for the reply.   Here are the default permissions in the areas I want to block a specific role from seeing:

Here are the permissions for the role I want to block:

Yet I switch to a user that has that role, and I can still access this area so obviously I'm not understanding how this works.    They have access to the parent category and sibling categories.  I just want to block them from this one. 

For the Knowledge Partner role at the board level, you could try moving the read posts permissions to "deny" rather than the "default". While it is also set to deny, it might be overridden by the permissions at the community level.

----------------------------------

Lili McDonald
Community Manager @ Amazon
Connect on LinkedIn

Ok..did that.  It made no difference.   I just don't understand why I can't block this role here.  The user has no other roles that has access to these private areas. 

Have you tried deleting that role from the board level and the category level (if possible)?

----------------------------------

Lili McDonald
Community Manager @ Amazon
Connect on LinkedIn

Have you confirmed that the roles you create are actually sticking? I had an issue a few weeks ago where my roles would always revert back to the default permissions after I saved them.

Support fixed this via some sort of configuration change that had to be deployed in the maintenance window.

Perhaps there's a name mismatch between the community-level role and the category-level role - e.g. two spaces accidentally in one of the versions of the name? I like @lilim's suggestion of deleting the role (maybe both roles) and trying again.

@lilim  I've deleted the role at the category level and recreated it twice.  @CarolineS  when I recreated it I copied/pasted the role name, and it's not a complicated role name so I'm certain there isn't a name mismatch.  I think it's time I open a support case and ask them to look at it and tell me why it isn't working.  Thanks a LOT for trying to help me figure this one out.  I'll post back here when support tells me what bonehead thing I'm doing to make it so this doesn't work.

Is it possible to reverse the logic of having this role exclude this location and rather have a role that allows the location, which is disabled by default.

We have several employee only or superuser only locales within Community. These are explicitly granted via a role rather than, as in your case, revoked.

@DanK  I would prefer not to do it that way if I don't have to as there are quite a few sibling nodes where the role needs permissions and I would have to create the role under each one of those.   It should be simpler than that.    What I'm trying to do SHOULD work.  I need to find out why it doesn't.

When I was creating our superuser program we wanted expert users to be able to move posts to visible areas of community and also edit the tKB. To get the permissions right I ended up creating the superuser role on every single public category in the community and allowing the permissions I wanted at that level.

It makes sense that the permissions should work the way you are saying but I am not sure that they do or will.

Ouch!  

Ok then.  It sounds like I need to remove the default access then grant access at ALL the lower level nodes.   That sucks. 🙂   In all other community platforms I manage you can set all permissions for all roles at a node level.  All permissions flow downwards unless they are changed at the node level to grant OR deny.   Lithium role permissions need to catch up with what everyone else is doing.