diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
index e2b39bb2a2..bee709a5d7 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/capability/rm-capabilities-rule-context.xml
@@ -9,6 +9,11 @@
       <property name="permission" value="ManageRules" />
       <property name="group"><ref bean="rulesGroup"/></property>
       <property name="index" value="10" />
+      <property name="conditions">
+         <map>
+            <entry key="capabilityCondition.filling" value="true"/>
+         </map>
+      </property>
    </bean>
 
 </beans>
\ No newline at end of file
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
index b130fa9090..2e82dcff34 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/extended-repository-context.xml
@@ -202,5 +202,38 @@
     	</property>    
         
    </bean>
-    
+   
+    <bean id="RuleService_security" class="org.alfresco.repo.security.permissions.impl.acegi.MethodSecurityInterceptor">
+        <property name="authenticationManager"><ref bean="authenticationManager"/></property>
+        <property name="accessDecisionManager"><ref bean="accessDecisionManager"/></property>
+        <property name="afterInvocationManager"><ref bean="afterInvocationManager"/></property>
+        <property name="objectDefinitionSource">
+            <value>
+                org.alfresco.service.cmr.rule.RuleService.getRuleTypes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.rulesEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.disableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.enableRuleType=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.hasRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.countRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.saveRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.setRulePosition=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeRule=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.removeAllRules=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=ACL_ALLOW
+				org.alfresco.service.cmr.rule.RuleService.*=ACL_DENY
+            </value>
+        </property>
+    </bean>    
 </beans>    
\ No newline at end of file
diff --git a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
index 21346a144a..9a8963c20e 100644
--- a/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
+++ b/rm-server/config/alfresco/module/org_alfresco_module_rm/security/rm-method-security.properties
@@ -175,4 +175,31 @@ rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setPermiss
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.setInheritParentPermissions=RM.Capability.0
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.getInheritParentPermissions=RM_ALLOW 
 rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.clearPermission=RM.Capability.0 
-rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
\ No newline at end of file
+rm.methodsecurity.org.alfresco.service.cmr.security.PermissionService.*=RM_DENY 
+
+## Rule Service
+
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleTypes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.rulesEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.disableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.enableRuleType=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isRuleTypeEnabled=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.hasRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.countRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.saveRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.setRulePosition=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeRule=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.removeAllRules=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getOwningNodeRef=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.isLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedToRuleNode=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.getLinkedFromRuleNodes=RM_ALLOW
+rm.methodsecurity.org.alfresco.service.cmr.rule.RuleService.*=RM_DENY
\ No newline at end of file
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
index 1fff14583b..8b2950e029 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/declarative/DeclarativeCapability.java
@@ -31,6 +31,8 @@ import org.alfresco.module.org_alfresco_module_rm.capability.AbstractCapability;
 import org.alfresco.module.org_alfresco_module_rm.capability.Capability;
 import org.alfresco.service.cmr.repository.NodeRef;
 import org.alfresco.service.cmr.security.AccessStatus;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 import org.springframework.beans.BeansException;
 import org.springframework.context.ApplicationContext;
 import org.springframework.context.ApplicationContextAware;
@@ -43,6 +45,9 @@ import org.springframework.context.ApplicationContextAware;
 public class DeclarativeCapability extends AbstractCapability 
                                    implements ApplicationContextAware
 {
+    /** Logger */
+    protected static Log logger = LogFactory.getLog(DeclarativeCapability.class);
+    
     /** Application Context */
     protected ApplicationContext applicationContext;
     
@@ -304,6 +309,12 @@ public class DeclarativeCapability extends AbstractCapability
         // Last chance for child implementations to veto/change the result
         result = onEvaluate(nodeRef, result);
         
+        // log access denied to help with debug
+        if (logger.isDebugEnabled() == true && AccessDecisionVoter.ACCESS_DENIED == result)
+        {
+            logger.debug("Capability " + getName() + " returned an Access Denied result during evaluation of node " + nodeRef.toString());
+        }
+        
         return result;
     }
     
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
index e00aba7985..4f1cdad10b 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/capability/impl/ViewRecordsCapability.java
@@ -36,8 +36,15 @@ public final class ViewRecordsCapability extends DeclarativeCapability
             {
                 return checkRmRead(nodeRef);
             }
+            else
+            {
+                if (logger.isDebugEnabled() == true)
+                {
+                    logger.debug("View Records capability abstains, because node is not a file plan component. (nodeRef=" + nodeRef.toString() + ")");
+                }
+            }
         }
-
+        
         return AccessDecisionVoter.ACCESS_ABSTAIN;
     }
 }
\ No newline at end of file
diff --git a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
index a0b7e0133c..ebed90b439 100644
--- a/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
+++ b/rm-server/source/java/org/alfresco/module/org_alfresco_module_rm/model/behaviour/RecordContainerType.java
@@ -123,18 +123,26 @@ public class RecordContainerType implements RecordsManagementModel,
         // We only care about "folder" or sub-types
         if (dictionaryService.isSubClass(childType, ContentModel.TYPE_FOLDER) == true)
         {       
-            // We need to automatically cast the created folder to RM type if it is a plain folder
-            // This occurs if the RM folder has been created via IMap, WebDav, etc
-            if (nodeService.hasAspect(child, ASPECT_FILE_PLAN_COMPONENT) == false)
+            if (dictionaryService.isSubClass(childType, ContentModel.TYPE_SYSTEM_FOLDER) == true)
+            {
+                // this is a rule container, make sure it is an file plan component
+                nodeService.addAspect(child, ASPECT_FILE_PLAN_COMPONENT, null);
+            }
+            else
             {                
-                // TODO it may not always be a record folder ... perhaps if the current user is a admin it would be a record category?? 
-                
-                // Assume any created folder is a rma:recordFolder
-                nodeService.setType(child, TYPE_RECORD_FOLDER);     
-            }                           
+                // We need to automatically cast the created folder to RM type if it is a plain folder
+                // This occurs if the RM folder has been created via IMap, WebDav, etc
+                if (nodeService.hasAspect(child, ASPECT_FILE_PLAN_COMPONENT) == false)
+                {                
+                    // TODO it may not always be a record folder ... perhaps if the current user is a admin it would be a record category?? 
+                    
+                    // Assume any created folder is a rma:recordFolder
+                    nodeService.setType(child, TYPE_RECORD_FOLDER);     
+                }                           
 
-            // Catch all to generate the rm id (assuming it doesn't already have one!)
-            setIdenifierProperty(child);
+                // Catch all to generate the rm id (assuming it doesn't already have one!)
+                setIdenifierProperty(child);
+            }
             
         }
     }