Security inheritance change from 2012 version

[criiser]

FolderAll
-->FolderPublic1
------->Connection11
-->FolderPublic2
------->Connection21

Set "Read" for "FolderAll" for all security groups and everybody can see this folder
Inherit will be the default for all subitems - so all users have read access to all sub objects...

Now goto PublicFolder1 - switch from "Inherited" to "Default Values" and customize the assigned security groups - e.g. only Admins
From now - Admins will see all folders, other users will see FolderAll, FolderPublic2 and all sub items...

I follow - now if:

FolderAll
-->FolderPublic1
------->Connection11
-->FolderPublic2
------->Connection21
-->Connection31

Assigning Read on FolderALL will grant the user right to read Connection31. Not just the folder..
and that is what i feel has changed. In 2012 you could set right on JUST the folder. Now its restricted to just the objects.

Example (Small but serves as example of LARGER solution):

Root
-->PublicCustomers
-------->Customer1
-------------->ConnectionC1_1
-------------->ConnectionC1_2
-------------->ConnectionC1_3
--------->Customer2
-------------->ConnectionC2_1
-------------->ConnectionC2_2
-------------->ConnectionC2_3
--->ManagementConnection_1
--->ManagementConnection_2
--->ManagementConnection_3
--->ManagementConnection_4

My consultant should service Customer1. He then needs READ on PublicCustomers Folder. That grants him read ASWELL on all the ManagementConnection_1-4. Not quite desirable. So Then all managementCOnnections needs to be modified with an default value. If more than 10 - that becomes an tiresome event...

Attaching snip from 2012 ASG vs 2015 to highlight the differences.

Br, Christian