Negative Permissions

Negative permissions, also called "negative ACLs", are explicit "deny" rules. Some systems use them to override inherited "allow" rules.

Files.com uses allow-only permissions. Users (except site administrators) and groups start with no access, and only the permissions that have been explicitly granted apply. This model keeps access decisions auditable and predictable.

Some directory systems support negative permissions. Files.com cannot synchronize "deny" rules from those systems, because there is no equivalent construct on the Files.com side.

During migrations, you can use permission fences to block inherited allow permissions at a folder boundary. A permission fence is not an explicit "deny" rule and is not a general replacement for negative ACLs.