I've read the documentation thoroughly in addition to tried numerous other methods but I cannot get past the following problem:

I have 2 different roles. I need one to be able to access one page and all its children. I need the other to be able to access a different page and all its children. They should not be able to access each others' pages and children nor should public users be able to.

Sounds pretty simple.

Absolutely everything seems to work except for the fact that when a user logs in with EITHER role he has permission to access BOTH pages.

I've gone over it a hundred times and configured it as closely as I could to the documentation - it only tells you how to filter out document types based on user roles, not how to put the permissions on the page level. In fact, filtering doc types by roles is in place and working fine.

I'll explain what I believe to be the proper technique which is currently in place and not working:

1) Set grant Read permissions to RoleA, RoleB, and Public User to the root of the entire site. (this doesn't seem to have any impact one way or another, yet, actually)
2) Deny access to RoleB and Public User on PageA
3) Deny access to RoleA and Public User on PageB

When I log in, I can see that repeaters will indeed filter based off these roles - including the links to these pages even. For example UserA in RoleA will only see a link to PageA. However, UserA in RoleA can view both PageA and PageB. As you'd expect, UserB in RoleB can also see PageA.

So is this a bug? Have I really overlooked something despite reading the manual and working on this for hours?

HRELP?!!1