--- a/Allura/allura/app.py
+++ b/Allura/allura/app.py
@@ -4,13 +4,13 @@
 
 from tg import expose, redirect, flash
 from tg.decorators import without_trailing_slash
-from pylons import c, g
+from pylons import c, g, request
 from bson import ObjectId
 
 from ming.orm import session
 
 from allura.lib.helpers import push_config, vardec
-from allura.lib.security import require, has_artifact_access
+from allura.lib.security import require, has_artifact_access, has_project_access
 from allura import model
 from allura.controllers import BaseController
 from allura.lib.decorators import react, require_post
@@ -212,7 +212,7 @@
     def admin_menu(self):
         admin_url = c.project.url()+'admin/'+self.config.options.mount_point+'/'
         links = []
-        if self.permissions and has_artifact_access('configure', app=self)():
+        if self.permissions and has_project_access('security')():
             links.append(SitemapEntry('Permissions', admin_url + 'permissions', className='nav_child'))
         if len(self.config_options) > 3:
             links.append(SitemapEntry('Options', admin_url + 'options', className='admin_modal'))
@@ -274,7 +274,7 @@
         from ext.admin.widgets import PermissionCard
         c.card = PermissionCard()
         return dict(app=self.app,
-                    allow_config=has_artifact_access('configure', app=self.app)())
+                    allow_config=has_project_access('security')())
 
     @expose('jinja:app_admin_options.html')
     def options(self):
@@ -322,9 +322,9 @@
             role_ids = map(ObjectId, group_ids + new_group_ids)
             roles = model.ProjectRole.query.find(dict(
                 _id={'$in':role_ids},
-                project_id=c.project._id))
+                project_id=c.project.root_project._id))
             self.app.config.acl[perm] = [ r._id for r in roles ]
-        redirect('.')
+        redirect(request.referer)
 
     @expose()
     @require_post()