When creating policy for specific vendor's Patch bundle (example mozilla only).. The restricted admin cannot execute "deploy remediation" or create Patch Policy. in order for the admin to be able to do deploy remediation and patch policy... the deploy and author should be allowed in the parent directory (ZPM) in the bundle policy... but with this admin can do remediation and patch policy with other vendor patches (mozilla and other softwares). with this we tried to reverse the policy, creating the allow policy for the parent directory then negate (deny other vendor's directory beside mozilla) which not required by the restricted admin. But the result is the admin can still create assigned bundles without the actual patch binaries and there are no prompt to admin that his rights is not valid for such vendors... thus the admin can populate the assigned bundles for devices without any restriction or error message on doing this.