I don't think so. We had a similiar situation on our side and ended up simply not using the default roles as permissions are "additive" in OneDev.

A permission for a child project is all permissions assigned to parent projects plus permissions assigned to itself. So if a parent project is visible to someone, the whole tree will be visible. This is by design for a number of reasons includig performance.

@robin Even if the parent project is invisible(No default roles) to someone, its child project can be set as “Project Owner", then everyone who have not been assigned a role in the project can visit it. We cannot ensure that someone will not change the Default Roles of the child project.

@sebastian So, what do you mean by ‘not using the default roles’? If I’m not mistaken, does this mean it’s a matter of people agreeing to follow certain rules? I’d prefer to achieve this through system-level restrictions.

then everyone who have not been assigned a role in the project can visit it

If someone specified default role for child projects, it only affects visibility of that child projects (and projects under it), the parent project will still not be accessible.

@lordran We (internally) eventually decided to a) not set a default role at all (to prevent default access to the child projects in the first place) and b) to put our child projects next to our main project so we can control all permissions individually. This might not be an ideal solution but it was the only solution that we found which works around the "permissions are always inherited"-concept.

NB that I don't think the concept is wrong, it just didn't fit our special use case.

... and to work around the resulting overhead, we set up a small python script which reads and applies a configuration file where we define the actual permissions. 😬