*/
        public String[] getAllows() {
            return allowedPaths.toArray(new String[allowedPaths.size()]);
        }

        /**
         * Gets all disallowed paths for this directive.
         * @return an array of disallowed paths
         */
        public String[] getDisallows() {
            return disallowedPaths.toArray(new String[disallowedPaths.size()]);
        }
    }

    /**

	sseS3 := crypto.S3.IsEncrypted(objInfo.UserDefined)
	if !sseKMS && !sseS3 { // neither sse-s3 nor sse-kms disallowed
		return errInvalidEncryptionParameters
	}
	if sseKMS && r.Encryption.Type == sses3 { // previously encrypted with sse-kms, now sse-s3 disallowed
		return errInvalidEncryptionParameters
	}
	versioned := globalBucketVersioningSys.PrefixEnabled(srcBucket, srcObject)

            return false;
        }

        if (!selected.atLeast(getConfig().getMinimumVersion()) || !selected.atMost(getConfig().getMaximumVersion())) {
            log.debug("Server selected an disallowed dialect version {} (min: {} max: {})", selected, getConfig().getMinimumVersion(),
                    getConfig().getMaximumVersion());
            return false;
        }
        this.selectedDialect = selected;

Note that just like with [AWS](https://docs.aws.amazon.com/AmazonS3/latest/userguide/delete-marker-replication.html), Delete marker replication is disallowed in MinIO when the replication rule has tags.

To add a replication rule allowing both delete marker replication, versioned delete replication or both specify the --replicate flag with comma separated values as in the example below.

        // When
        boolean valid = response.isValid(mockContext, mockRequest);

        // Then
        assertFalse(valid);
    }

    @Test
    @DisplayName("Should fail validation with disallowed dialect")
    void testIsValidDisallowedDialect() throws Exception {
        // Given
        setResponseAsReceived(response);
        setPrivateField(response, "dialectRevision", 0x0202); // SMB 2.0.2

    }

    /**
     * Initializes the disallowed compound operations based on the provided property string.
     *
     * @param prop comma-separated list of operations to disallow in compound requests
     */
    protected void initDisallowCompound(final String prop) {
        if (prop == null) {
            return;
        }
        final Set<String> disallow = new HashSet<>();

and <i>w'</i> happens before <i>r</i>.
That is, each read must observe a value written by a preceding or concurrent write.
</p>

<p>
Additionally, observation of acausal and “out of thin air” writes is disallowed.
</p>

<p>
Reads of memory locations larger than a single machine word
are encouraged but not required to meet the same semantics
as word-sized memory locations,
observing a single allowed write <i>w</i>.

	if s3Err != ErrNone {
		writeErrorResponseJSON(ctx, w, errorCodes.ToAPIErr(s3Err), r.URL)
		return
	}

	checkDenyOnly := name == cred.AccessKey

	if !globalIAMSys.IsAllowed(policy.Args{
		AccountName:     cred.AccessKey,
		Groups:          cred.Groups,
		Action:          policy.GetUserAdminAction,
		ConditionValues: getConditionValues(r, "", cred),
		IsOwner:         owner,

		byPassSet = globalIAMSys.IsAllowed(policy.Args{
			AccountName:     cred.AccessKey,
			Groups:          cred.Groups,
			Action:          policy.BypassGovernanceRetentionAction,
			BucketName:      bucketName,
			ObjectName:      objectName,
			ConditionValues: conditions,
			IsOwner:         owner,
			Claims:          cred.Claims,
		})
	}
	if globalIAMSys.IsAllowed(policy.Args{

	policy, _, err := globalBucketMetadataSys.GetPolicyConfig(bucket)
	return policy, err
}

// IsAllowed - checks given policy args is allowed to continue the Rest API.
func (sys *PolicySys) IsAllowed(args policy.BucketPolicyArgs) bool {
	p, err := sys.Get(args.BucketName)
	if err == nil {
		return p.IsAllowed(args)
	}

	// Log unhandled errors.
	if _, ok := err.(BucketPolicyNotFound); !ok {