assertEquals("D1guest", permissionHelper.encode("(deny){user}guest"));
        assertEquals("DRguest", permissionHelper.encode("(deny){role}guest"));
        assertEquals("D2guest", permissionHelper.encode("(deny){group}guest"));
        assertEquals("D1guest", permissionHelper.encode("(deny){USER}guest"));
        assertEquals("DRguest", permissionHelper.encode("(deny){ROLE}guest"));

    // Access Mode Encoding for desiredAccess
    static final int SHARING_COMPATIBILITY = 0x00;
    static final int SHARING_DENY_READ_WRITE_EXECUTE = 0x10;
    static final int SHARING_DENY_WRITE = 0x20;
    static final int SHARING_DENY_READ_EXECUTE = 0x30;
    static final int SHARING_DENY_NONE = 0x40;

    static final int DO_NOT_CACHE = 0x1000; // bit 12
    static final int WRITE_THROUGH = 0x4000; // bit 14

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

    private static final int SHARING_COMPATIBILITY           = 0x00;
    private static final int SHARING_DENY_READ_WRITE_EXECUTE = 0x10;
    private static final int SHARING_DENY_WRITE              = 0x20;
    private static final int SHARING_DENY_READ_EXECUTE       = 0x30;
    private static final int SHARING_DENY_NONE               = 0x40;

    private static final int DO_NOT_CACHE  = 0x1000; // bit 12

              {
               "tag": "istio.authorization.dry_run.deny_policy.name",
               "metadata": {
                "kind": {
                 "request": {}
                },
                "metadata_key": {
                 "key": "envoy.filters.http.rbac",
                 "path": [
                  {
                   "key": "istio_dry_run_deny_shadow_effective_policy_id"
                  }

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"

  depguard:
    rules:
      DenyGogoProtobuf:
        files:
          - $all
        deny:
          - pkg: github.com/gogo/protobuf
            desc: "gogo/protobuf is deprecated, use golang/protobuf"
      # deny for all go files
      AllGoFiles:
        files:
          - $all
        deny:
          - pkg: golang.org/x/net/http2/h2c

	typedef [v1_enum] enum {
		SE_GROUP_MANDATORY          = 0x00000001,
		SE_GROUP_ENABLED_BY_DEFAULT = 0x00000002,
		SE_GROUP_ENABLED            = 0x00000004,
		SE_GROUP_OWNER              = 0x00000008,
		SE_GROUP_USE_FOR_DENY_ONLY  = 0x00000010,
		SE_GROUP_RESOURCE           = 0x20000000,
		SE_GROUP_LOGON_ID           = 0xC0000000
	} SamrGroupAttrs;

	typedef struct {
		uint32_t rid;
		SamrGroupAttrs attributes;
	} SamrRidWithAttribute;

                                      "key": "istio_dry_run_deny_shadow_effective_policy_id"
                                    }
                                  ]
                                }
                              }
                            },
                            {
                              "tag": "istio.authorization.dry_run.deny_policy.result",
                              "metadata": {

 * the operation and the desired access bits are compared to the SID
 * and access mask of each ACE. If the SID matches, the allow/deny flags
 * and access mask are considered. If the ACE is a "deny"
 * ACE and <i>any</i> of the desired access bits match bits in the access
 * mask of the ACE, the whole access check fails. If the ACE is an "allow"