I see what you're saying. One issue I'm running into is that when I click on the name of the rule that denied access in order to go to the access control I can't see anything because of course I'm impersonating someone who has no roles. This seems to undercut the purpose of those links given that only admins can see ACLs. I guess the only solution is to copy the name of the rule from the debug output and go back to being an admin role in order to look at it?