Securing Cubes as read-only in Planning Analytics

[Homer911]

Hi
Newcomer to Cognoise..
I'm trying to configure read-only access for a group of users in Planning Analytics and I'm seeing some strange behaviours.  We are using PAW 2.0.82 and PAfE 2.0.82.5
Trying this out on our DEV system I have an AD group described as read-only which I have added to the system via Architect and assigned read permissions to all cubes. Security has been refreshed.
Trying this out with a user added to this group, the user opens PAfE..
While all cubes are visible, right-click on the cubes is disabled meaning no explorations or any other type of report can be created (not what we want).  Clicking on the cube opens the viewer.  The user can edit data, but the commit tick is grayed-out (Good).  However when the user presses the refresh button in viewer, it commits the edits and other users can view the amended data (Very bad!).
The user does have other permissions, some of which are write permissions to specific cubes but not the ones he edited. 
I'm unclear how the hierarchy of permissions works - which takes precedent?

Clearly I'm seeing behaviours which should not happen, but have I missed something on the setup/config?