Groups that have specified permissions restricting users from viewing services or knowledge base articles will always trump user-level settings specifying that a user can view a service or KB article. This is because group-level permissions work on a blacklist basis. This means that if your service is configured to blacklist a certain group, they won't see the service. You cannot work around that - which is by design to restrict certain groups from viewing the service when specified. To acheive the functionality you described, you would instead have to create whitelist permissions for the group that define who *can* see the service, rather than a blacklist of who cannot. I hope this has helped clarify group-based permissions. If there is anything else we can do to help, please let us know.