}

	denyOnly := (targetUser == cred.AccessKey || targetUser == cred.ParentUser)
	if ldap && !denyOnly {
		res, _ := globalIAMSys.LDAPConfig.GetValidatedDNForUsername(targetUser)
		if res != nil && res.NormDN == cred.ParentUser {
			denyOnly = true
		}
	}

	// Check if action is allowed if creating access key for another user

	// As the session policy exists, even if the parent is the root account, it
	// must be restricted by it. So, we set `.IsOwner` to false here
	// unconditionally.
	//
	// We also set `DenyOnly` arg to false here - this is an IMPORTANT corner
	// case: DenyOnly is used only for allowing an account to do actions related
	// to its own account (like create service accounts for itself, among