I found a bug related to invalid object URL and permission setting. Here is the scenario: / [/users/root-/actions-inheritable] /files/john/resources [/users/john-/actions-inheritable] /files/john/resources/folder1 Now, if I use structure helper to retrieve /files/john/resources/folder1 using either root or john, it works as expected. When I deliberately retrieves an invalid node, say /files/john/resources/invalid-folder, root and john get different exceptions. For root, we get ObjectNotFoundException, as expected. For john, we get AccessDeniedException!!! org.apache.slide.security.AccessDeniedException: Access denied on / by user /users/john for action /actions/read at org.apache.slide.security.SecurityImpl.checkCredentials(SecurityImpl.java:389) at org.apache.slide.structure.StructureImpl.retrieve(StructureImpl.java:226) at org.apache.slide.structure.StructureImpl.retrieve(StructureImpl.java:170) A workaround is to grant john /actions/read along /, /files, /john. However, it is very inconvenient as users in our system come and go. Adding these extra permissions are undesirable.