Content Server validates permission sets before a permission set is saved, as follows:
New accessors (users or groups) for permissions are evaluated to confirm they belong to all the required groups and at least one of the groups listed in the required group set.
New accessors for restrictions are evaluated to confirm that they belong to all the required groups and at least one of the groups listed in the required group set.
If Trusted Content Services is enabled, the Content Server performs the following additional validations:
When new groups are added to a required group list, all accessors listed for both permissions and restrictions are evaluated and any accessors who do not belong to the newly added groups are flagged.
When new groups are added to a required group set list, all accessors listed for both permissions and restrictions are evaluated and any accessors who do not belong to the newly added groups are flagged.
When a user accesses the permissions tab in this application:
Accessors currently listed for both permissions and restrictions are evaluated.
Accessors who do not belong to all the groups in the required groups list and to at least one of the groups in the required group set are flagged.