Controlling Access with a Deny Rule and a Negative Condition

To deny access to the correct set of users, you need to know the characteristics of the users you do not want to access the resource and the characteristics of the users you want to access the resource.

You can create simple policies by using a Deny action. For example, suppose you have an application that you want only managers to access. If you have set up a role that assigns all managers to the Manager role, you can use this characteristic for an Authorization policy.

This rule evaluates the user, and if the user does not belong to the Manager role, the user matches the condition. The action for matching the condition is to deny access. Managers, who belong to the Manager role, do not match the condition and the Deny action is not applied to them.

The Result on Condition Error option is set to True. You do not want an error to cause the policy to assume that the user is a manager. If an error occurs, you want the policy to assume that the user is not a manager, so he or she matches the condition and the Deny action is applied.