...
The policy model enhancements in RANGER-606 add the capability to explicitly deny access on the given conditions and also to specify excludes to allow-conditions and deny-conditions. Let’s use the same policies used in the previous section, but with an added condition to explicitly deny access to users in interns group.
Please note that after updates in RANGER-876, deny in policies are is available only for services whose service-def has option enableDenyAndExceptionsInPolicies set to true, as shown below:
...