I observed something strange when working with Run Time Instance permissions on a Thing Shape and wanted to ask if this is expected behavior or a potential bug.  To demonstrate I'll propose a scenario.  I am using ThingWorx 10.0.

Created entities:

• TestUSR - User for testing access.
• TestTS1 - Contains property "TS1Prop" and service "TS1Service"
• TestTS2 - Contains property "TS2Prop" and service "TS2Service"
• TestTT - Template inheriting GenericThing template. Contains property "TTProp" and service "TTService"
• TestThing1 - Thing inheriting TestTT template. Contains property "ThingProp" and service "ThingService"
  

Now I configure permissions on TestTS1 only.  The rest of the entities will not have any permissions configured.

• Grant 'Property Read' and 'Service Execute' run time instance permissions to TestUSR.  See below.

Now I run Access Report for TestThing1 for user TestUSR.  This initially looks fine, but when I dig into the Specific Permissions by clicking the various run time attributes, I'm met with the following checkmarks and X's.

It appears that something is granting access to the "generic" Thing properties and services.  NOTE: I'm only showing a sample of specific service permissions below (left) since the list is long, and I also wanted to show the "Test" services' Denials.  

I confirmed that I don't have any Collection permissions active that provide any Grants.  

Next, I removed the 'Property Read' and 'Service Execute' run time instance permissions for TestUSR.

Running the access report again gave me the following.  No permissions are shown now.  This suggests that Granting Instance Run Time permissions (property/service) on my Thing Shape granted access to the "generic" properties/services on my Thing.  

Is this an expected behavior?  There are certain "generic" services that I may not want to grant to certain users.