We can't modify the anonymous role anymore.

We created a separate account customAdmin that has not superuser role.

To shorten the problem and for reproducing the error here an example for workspace category:

anonymous has ACL read-only on "/" selected and subnodes
customAdmin has ACL read/write on "/" selected and subnodes

In SaveRoleDialogAction line 262 ff. (validateAccessControlLists()) the ACLs of the current user are checked against the ACLs of the role to be saved. The current user needs at least write permissions to the workspace and node.

The Exception ist fired in line 295. Reason:

In methoid isCurrentUserEntitledToGrantRights(workspaceName, path, accessType, permissions) the boolean recursive is true (line 349), wildcard is stripped off of the original path and ownPermission will always be "/" in findBestMatchingPermissions(acl.getList(), stripWildcardsFromPath(path)) (line 344).

But if recursive is true the permission check wants the path to macth "/*" (line 352):

if (recursive && !ownPermissions.getPattern().getPatternString().endsWith("/*"))

If I havn't overseen anything the implementation of findBestMatchingPermissions() returns the wrong value for ownPermission ("/" instead of "/*").

Find attached the XML export snippets for the roles and workspace category.

BTW: the validation method validates the ACL list one after the other. It does not matter how many entries there are. category is first and when category fails the exception is thrown.