How is "Deny Unless" Different From "Allow If" for Access Controls (ACLs)?

G24
Kilo Sage

‎01-17-2025 08:11 AM

The Certified Application Developer (CAD) Delta Exam Study Guide here discusses two different "Decision Types" for Access Controls (ACLs), as follows:

G24_0-1737129940754.png

But I must be missing something, because these seem like exactly the same thing to me.  Example:

 

I am going to DENY you dessert UNLESS you eat your vegetables.

I am going to ALLOW you to have dessert IF you eat your vegetables.

 

What is the difference?  I don't get it.  Documentation here 

  • 3,195 Views
5 REPLIES 5

Robbie
Kilo Patron
Kilo Patron

‎01-17-2025 08:18 AM

Hi @G24,

 

I always find a step back (and grabbing a coffee) helps with these types of questions.

Essentially it's all about the default behaviour.

Whilst they seem similar at first glance, "Deny Unless" is more restrictive by default, denying access unless specific conditions are met, while "Allow If" is more permissive, granting access only if conditions are satisfied.

 

To help others (and for me to gain recognition for my efforts), please mark this response correct by clicking on Accept as Solution and/or Kudos.




Thanks, Robbie

G24
Kilo Sage
In response to Robbie

‎01-17-2025 08:41 AM - edited ‎01-18-2025 12:18 AM

.

AshishKM
Kilo Patron
Kilo Patron
In response to G24

‎01-17-2025 08:54 AM

Thanks for this post @G24 , i was searching the doc and try to reach some conclusion before you reply @Robbie , thanks for explanation, it really helps to get the crux of words.


Please mark this response as correct and helpful if it helps you can mark more that one reply as accepted solution

TodT
Tera Contributor

‎03-22-2025 02:19 PM

This first thing to understand is that the ACL engine will not grant access unless there is an Allow-If.

 

Second, Deny-Unless will be evaluated first. This means before all Allow-Ifs.

 

Third, anyone that does not satisfy the Deny-Unless will be denied, end of story.

 

Fourth, if I satisfy the Deny-Unless, it means I will not be denied. This does NOT mean I will be given access. It simply means I will not be denied by this rule. I would also need an allow-if to be granted access.

 

For your example,

I will not stop you from eating desert, if you have eaten all your vegetables.

I will give you desert, when you finish your vegetables.

 

Hopes this helps.