Hi Robert,

You are correct, you have to un-impersonate to get your access back. The reasoning is fairly simple- there is no way for the system to know that you want to impersonate this user when accessing this form but not when accessing this other form.

Impersonation gives you the experience that user would have. If that user can't access ACL's, neither can you (while impersonating). It's possible to build a system that only did impersonation for a single transaction or something, but there is a trade-off in terms of use and time spent. It would make debugging easier some of the time, but is that enough to justify building out that system versus enhancing the SLA Engine, or creating the scoping model?

I usually test in two browsers (Chrome and Firefox), or in Chrome and Chrome (Incognito mode). This side-steps the issue, since only one of your sessions will be impersonating, and the other has the access needs required. You can copy/paste links, or just look at the rule name being output, and navigate there manually in the other browser.

Have you figured out the root cause yet?