* the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

        assertNotNull(ace.getSID());
    }

    @Test
    @DisplayName("Test decode with deny ACE")
    void testDecodeDenyACE() throws Exception {
        // Prepare test data - Deny ACE
        testBuffer = new byte[100];
        testBuffer[0] = 0x01; // Deny ACE (non-zero)
        testBuffer[1] = 0x10; // FLAGS_INHERITED
        testBuffer[2] = 0x24; // Size low byte (36)

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

MinIO supports multiple admin users in addition to default operator credential created during server startup. New admins can be added after server starts up, and server can be configured to deny or allow access to different admin operations for these users. This document explains how to add/remove admin users and modify their access rights.

## Get started

MinIO supports multiple long term users in addition to default user created during server startup. New users can be added after server starts up, and server can be configured to deny or allow access to buckets and resources to each of these users. This document explains how to add/remove users and modify their access rights.

## Get started

	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
	defer cancel()

	// 1. Create a policy
	policy1 := "deny-svc"
	policy2 := "allow-svc"
	policyBytes := []byte(`{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Deny",
   "Action": [
    "admin:CreateServiceAccount"
   ]
  }
 ]
}`)

	newPolicyBytes := []byte(`{
 "Version": "2012-10-17",

```

</details>

**Note that by default no policy is set on a user**. Thus even if they successfully authenticate with AD/LDAP credentials, they have no access to object storage as the default access policy is to deny all access.

## API Request Parameters

### LDAPUsername

Is AD/LDAP username to login. Application must ask user for this value to successfully obtain rotating access credentials from AssumeRoleWithLDAPIdentity.

    public static final int SE_GROUP_ENABLED = 4;
    /** Security group attribute: Group can be assigned as owner of objects */
    public static final int SE_GROUP_OWNER = 8;
    /** Security group attribute: Group is used for deny-only checks */
    public static final int SE_GROUP_USE_FOR_DENY_ONLY = 16;
    /** Security group attribute: Domain-local group */
    public static final int SE_GROUP_RESOURCE = 536870912;

    public static final int SE_GROUP_ENABLED = 4;
    /** Security group attribute: Group can be assigned as owner of objects */
    public static final int SE_GROUP_OWNER = 8;
    /** Security group attribute: Group is used for deny-only checks */
    public static final int SE_GROUP_USE_FOR_DENY_ONLY = 16;
    /** Security group attribute: Domain-local group */
    public static final int SE_GROUP_RESOURCE = 536870912;