How do the new permissions work?

I've been playing around with the new permissions to see if I can achieve what I wanted to before with security groups. However, it doesn't seem to react the way I would expect.

Existing objects:

Test role 1
Test role 2
Test user (test user only has Test role 2)


Suppose I have a folder set with discrete permissions to do:

View/Add/Edit/Delete -> "Test role 1"

In the folder I have a credential with discrete permissions set:

View/Add/Edit/Delete -> "Test role 1, Test role 2"

However, Test user cannot see the credential. It also doesn't show up in the search results. Even though it's mentioned, discrete permissions still seem to be limited by the inheritance principal. This seems strange, as discrete permissions are meant to specify permissions completely independent from any other settings.

I can imagine that it is difficult to show the credential in the tree view (as the user does not have permissions on the parent folder), but previous password management applications we had, most notable Secret Server, solved this by only showing the credential in the search results.