Denying access
In some cases it may be easier to prevent certain users from accessing specific objects, rather than trying to find a way to grant limited user access. Use the ACL DENY ENABLE setting on the Manage the system > Policies > Options page to allow product administrators to deny read and write permissions to objects by selecting appropriate checkboxes under the Access control tab.
It is possible for users to belong to more than one group with configured access controls for the same object. Set ACL DENY ENABLE to:
Allow permissions to take precedence | to allow a user’s allowed access to override denied access. |
Deny permissions to take precedence | to allow a user’s denied access to override allowed access. |
For example, a user belongs to group A with permission to read object C, and also belongs to group B which is denied all access to object C. The Allow permissions to take precedence setting means the user does have read permission for object C.