Rules Governing Domain-based ACLs and Ad Hoc ACLs
An access control rule for the domain applies to an object type. An ad hoc ACL applies to a specific object. The ad hoc ACL, however, only grants permissions; it cannot be used to deny access to an object. If the ad hoc ACL grants a permission that is denied in the policy ACL, the ad hoc rule supersedes the policy rule, and the access right is granted. If the ad hoc ACL grants a permission that is absolutely denied in the policy ACL, the ad hoc rule does not supersede the policy rule and the access right is denied.