Allow "Import With Maven" for "Restricted Administrators"

We differentiate between System Administrators and Administrators in Studio. System Administrators are Atlassian and Contegix, Administrators may be customers. I was told that these groups roughly map to the notion of Administrators (Studio: System Administrators) and Restricted Administrators (Studio: Administrators) in Bamboo.

The customer is allowed to perform certain administration tasks in Studio's Bamboo, amongst them f.e. to configure the build expiry (BuildExpiryAction). These actions define no interceptor ref and thus use the defaultStack (default-interceptor-ref, xwork.xml). The defaultStack contains as far as I can see only one interceptor for authorisation, that is the permissionCheck (com.atlassian.bamboo.security.acegi.intercept.web.WebworkSecurityInterceptorProxy) interceptor which delegates to an extension of Acegi's org.acegisecurity.intercept.AbstractSecurityInterceptor, com.atlassian.bamboo.security.acegi.intercept.web.WebworkSecurityInterceptor. The AbstractSecurityInterceptor is configured to check, amongst other things, if principals trying to access com.atlassian.bamboo.ww2.aware.permissions.GlobalAdminSecurityAware instances possess one of these authorities: WW_ADMIN,WW_RESTRICTED_ADMIN,GLOBAL_READ (applicationContextAcegiSecurity.xml). The administrative actions currently configured in Studio to be accessible by Restricted Administrators (Studio: Administrators) implement this interface and thus they are allowed to access the action.

My current task is to allow customers to create build plans from POMs (https://studio.atlassian.com/browse/JST-2328). This action, importMavenPlan (com.atlassian.bamboo.ww2.actions.admin.ImportMavenPlanCheckoutPomAction) uses a different interceptor stack, buildConfig and globalAdminStackAlwaysValidate. Regarding permissions, as far as I can see, the WebworkSecurityInterceptor is still used due to globalAdminStackAlwaysValidate → basicAdminStackPreValidate → permissionCheck, but the principal is only checked against these authorities: WW_READ,GLOBAL_READ due to the instance being "only" a com.atlassian.bamboo.ww2.aware.permissions.GlobalReadSecurityAware (BambooActionSupport, see screenshot). The Restricted Administrators pass this test. However, a second permission check is applied in this configuration, the globalAdminStackAlwaysValidate → basicAdminStackPreValidate → globalAdmin (com.atlassian.bamboo.ww2.interceptors.GlobalAdminInterceptor). This interceptor uses the com.atlassian.bamboo.security.acegi.acls.HibernateMutableAclServiceImpl in order to check if the principal has the ADMINISTRATION permission, which he has not (RESTRICTEDADMINISTRATION instead).

My request is to change the configuration for the importMavenPlan action in order to allow it to be used by Restricted Administrators. One way would be to use the default stack and implement GlobalAdminSecurityAware. I haven't checked what other implications that would have regarding the interceptor configuration. Thx for the help.