Hi Alessandro,
Please find my functions, risk and rules below.
Function AR12 - No Actions only Permissions
Function CA04 - Actions
Function CA04 - Permissions
Action Rules
Permission Rules
My Role 1 has Tcodes and objects which are part of CA04 function
My Role 2 has objects which are part of AR12 function.
When I checked by simulating Role 1 and Role 2, I am getting Action Level risks as well as Permission Level risks.In my action level rules of CCI02 I observe that rules are defined for Permission Group of AR12 with Actions of CA04. These are showing up as Action level risks 
Here I should get permission level risks only and not action level risks
When i run risk analysis for Role 1 alone,risk analysis report shows that Role 1 has Action level risks from my Risk ID CCI02
In my action level rules of CCI02 I observe that rules are defined for Permission Group of AR12 with Actions of CA04. But these rules are making Role 1 itself as a risk role which is incorrect as Tcodes of role 1 don't have any issues. Only when they combine with role 2 should show permission level risks.
I understand that any combination will appear as risk between AR12 and CA04.
But why are action level rules being created when there are actions only one function and other function don't have any actions.
Even if they are getting created, that should again be considered as a combination but these action rules are making individual Tcodes which are part of CA04 as risk Tcodes.
Can you please help me to understand this?
Thanks in advance.
Regards,
Sai.