A Deny-Unless ACL blocks access unless all its rules are met. It’s like a locked door that only opens if you have the right key, meet the conditions, and follow the rules.

How Does It Work?

• If the user meets all requirements (role, condition, and script), the ACL passes, and other rules (Allow-If ACLs) decide if access is allowed.

• If any requirement fails, the ACL fails, and access is blocked immediately.

Which Comes First?

Deny-Unless ACLs are always checked before Allow-If ACLs. If the Deny-Unless fails, access is blocked—no further rules are checked.

Scenarios: User has “itil” role, record is active, user is logged in.

Pass: All rules are met. The system will now check Allow-If ACLs to decide access.

>User doesn’t have the required role

• Fail: Access is denied immediately.

User has the role but the record is inactive

• Fail: One rule is not met, so access is blocked.

Summary:

Deny-Unless ACLs block access unless everything checks out. If they fail, no other rules are checked, and the user is denied access.