The asset manager security layer always generates a role based security
query part, even if the user is an administrator, in which case the
generated query part is just discarded later on.
Additionally, a never matching query part is always added in case a user
has no rules which is unlikely but possible. Nevertheless, this is
unnecessary if the user has any roles.