Unlike a deny policy access control rule, which can be overridden by an ad hoc access control rule and, in some cases, a grant policy rule, an absolute deny policy rule cannot be overridden. A user denied a permission to an object using an absolute deny policy rule cannot be granted access unless the absolute deny policy is removed. Absolute deny policy rules cannot be created for pseudo roles.

For example, Jessica creates the Sport Umbrella project in the /Default domain. To control content, she does not want participants in the Members group to have the Delete permission. To do this, she selects Absolute Deny for the Delete permission. Selecting Absolute Deny for a permission does not automatically select any other permissions. The absolute deny rule for the Members group overrides all other rules, including ad hoc rules and policy rules granting Delete permission to specific users in the group or to object owners. Therefore, even if a user is the owner of an object, he or she is not able to delete the object.

For more information about determining what access a user has based on a combination of all permissions, see How ACLs Work.