Lets use ROLE_USER_ADMIN and ROLE_USER for this example.
Steps to reproduce:
1. Use the new series wizard to create a new series.
2. Add ROLE_USER_ADMIN twice to the access policy setup for the new series (once for read/write, and another for say read)
3. Once series is created, add read access for ROLE_USER to the newly created series.
ROLE_USER does not have read access to the series.
ROLE_USER should have read access to the series.
Workaround (if any):
Add both read and write access for ROLE_USER, then remove write access after the initial update is complete. Any follow-on ACL changes will stick going forward (after the initial update).