Hello folks,
After spending some confusing hours on this, I finally broke down the Deny Unless ACL decision type into a simple real-world example.
Scenario: Imagine a sensitive field called "Payment Status". Several Allow if ACLs already grant access to this field through different roles. But now you want tighter control — only users with a high-privilege role (say Finance_User) should see it. This is exactly where the Deny Unless decision type helps.
Explanation: With this Deny Unless ACL type, users who have other roles will only see the Payment Status field if they also have the Finance_User role. It adds an extra layer of restriction and ensures only the right users can view the field
Observation: One thing that surprised me — in the Roles section of ACLs, if a user has at least one of the listed roles, they pass the role check. For example, if the ACL lists roles 'abc' and 'def', and the user has only 'abc', they still qualify. So be careful when specifying multiple roles. Personally, I prefer assigning a single controlling role to avoid confusion and reduce dependency on the Deny Unless ACL
See the below image:
This is my understanding of it. Everyone is welcome to share insights or simpler ways to use Deny Unless for better clarity.
