When creating a policy access control rule, you can either indicate a participant to which the policy rule applies or you can indicate a participant and use the All except selected participant option. In the second case, the policy rule applies to all participants except the selected participant. The All except selected participant option is available for users, groups, organizations, and dynamic roles. It is not available for the pseudo roles Owner and All. A rule for all except a participant treats the participant as a group whose members are all participants except the following:

For example, Steve creates the Beach Umbrella product in the /Default domain. Rather than creating multiple policy access control rules for each group in his product, he creates one policy access control rule denying the Administrative permission to all participants except the Administrators group. In this example, all users who are not administrators are denied the Administrative permission for objects in the Beach Umbrella product. However, if Steve wants to grant Carlos the Administrative permission, he is able to do this through a policy rule for the individual user. The All except selected participant option treats the rule participant as a group whose members are all participants except the selected participant. As with other deny permissions, granting the same permission to an individual user overrides the group deny.

The All except selected participant option can be used in combination with an absolute deny permission. For example, suppose there is a type of document that you want to restrict all but a set of users from viewing. To do this, create a group called Secret View and add the users that should be able to view the documents. Then, create a policy access control rule absolutely denying the Read permission for that document type to all users who are not a member of the Secret View group.