one more thing:
Edit access restrictions works for multiple roles assigned to the same user this way:
URE takes an access model (Allow or Block) from the 1st role and add to it access conditions from other roles with the same access model only. For example: User has 3 roles. 1st role: Allow, 2nd role: Block, 3rd role: Allow. Access conditions will be applied from the 1st and 3rd roles only.
So in other words, i should either use allow or block, not both, right? any thoughts how the order of roles is determined? i mean, is the primary role always the first role, which will determine which access model will be used?
One last question, does the user access model (defined at the bottom of the user profile) override role access model?