Creating a Deny Record to Handle Access Right Exceptions

Suppose that you have a group called Testers that has complete access to the files in the QA view, a view that contains folders full of test files. A newly hired member of the Testers group, New Tester, has not yet been trained to update the tests, and so on. Although New Tester is a member of the Testers group, you do not want this user to perform certain operations on these files for a couple of weeks. You could remove New Tester from the Testers group temporarily, but the application also allows you to give New Tester all the rights of the Testers group with a few exceptions. To list the exceptions, you create a deny record.

Click Add. The Assign Access Rights To dialog box opens.
Select a user or group. Users are listed by their user names and groups are listed by their paths (excluding the All Users group).
Select Deny and click OK to return to the Access Rights dialog box.
CAUTION:

Never select Deny to create an exception to a group unless that group is already specifically granted access for this same node. In this example, the Testers group must have access for this node.
Select/clear the appropriate check boxes. Selecting or clearing the check box for a category, such as Generic object rights for a project, selects or clears all the access right check boxes for that category. The category check box has only two states. When it is cleared, the access right check boxes for that category are either all cleared or mixed: some selected and some cleared.
CAUTION:

Clicking Delete removes the selected user or group from the User and Groups list in the Access Rights dialog box. The selected user or group loses any previously set access rights to the Server.
Click Move Up to move the deny record to the top of the Users and groups list in the Access Rights dialog box.
Tip: All deny records must precede all grant records in the Users and groups list. Otherwise, the exception will not occur. For example, if the application finds the grant record for Testers before it finds the deny record for New Tester, the rights the user has as a member of the Testers group will apply.
Click OK.

Note: Depending on the privileges of the Testers group, New Tester may be able to perform these operations anyway. Also, if a deny record is the only record for a node, anyone not specifically granted access rights for that node has no access to that type of object at that level. When the application finds a node for the correct type of object that has even one record, it does not check higher levels for access rights.