Hi 

I'm doing some research regarding the roles related to DPM and Service-CRUD functionalities. I have the following behaviour which makes me a bit confuse:

What I have:

• A sys_user related to a Company with role service_author, sn_dpm.dpm_manager, snc_internal. 
• The related Company is a selfmade company which is marked as vendor. 
• The Demo-Data Services of the PDI.

Behaviour on my ootb PDI:

• Impersonate as the sys_user mentioned above.
• Select a Business Service (ServiceNow PDI Demo Service) in the backend. --> Editing is not possible. --> ok
• Open DPM
• Select the Enterprise Portfolio where the Service is related to
• Drill-Down into the Service
• select "Edit in service Builder" via the three dots in the right upper corner
• The service Builder opens and I'm able to edit it. 
• Do not change nor save something
• Change back into the backend --> now I'm able to change the details of the service. --> could be a security issue for my purpose because the role description says that service_author can only change their owned services.

Am I wrong in my assumption or is that a correct behaviour because I gave sn_dpm.dpm_manager to the sys_user too?

Many thanks and regards, Andres

Expected behaviour: