A Deny-Unless ACL blocks access unless all its rules are met. It’s like a locked door that only opens if you have the right key, meet the conditions, and follow the rules.
How Does It Work?
• If the user meets all requirements (role, condition, and script), the ACL passes, and other rules (Allow-If ACLs) decide if access is allowed.
• If any requirement fails, the ACL fails, and access is blocked immediately.
Which Comes First?
Deny-Unless ACLs are always checked before Allow-If ACLs. If the Deny-Unless fails, access is blocked—no further rules are checked.
Scenarios: User has “itil” role, record is active, user is logged in.
Pass: All rules are met. The system will now check Allow-If ACLs to decide access.
>User doesn’t have the required role
• Fail: Access is denied immediately.
User has the role but the record is inactive
• Fail: One rule is not met, so access is blocked.
Summary:
Deny-Unless ACLs block access unless everything checks out. If they fail, no other rules are checked, and the user is denied access.
