}
                        }
                    }
                } else {
                    // Forbidden
                    logger.warn("Access denied to file: file={}", file.getAbsolutePath());
                    responseData.setHttpStatusCode(Constants.FORBIDDEN_STATUS_CODE);
                    responseData.setMimeType(APPLICATION_OCTET_STREAM);
                }

following JWT claims, `policy` claim is mandatory and should be present as part of your JWT claim. Without this claim the generated credentials will not have access to any resources on the server, using these credentials application would receive 'Access Denied' errors.

| Claim Name | Type                                              | Claim Value                                                                                                                                                      ...

		permDir := path.Join(os.TempDir(), "perm-dir")
		if err := os.MkdirAll(permDir, os.FileMode(0o200)); err != nil {
			t.Fatal(err)
		}
		defer os.RemoveAll(permDir)

		// Check if permission denied.
		if _, err := readDir(permDir); err == nil {
			t.Fatalf("expected = an error, got: nil")
		}
	}
}

// Represents data type for all the test results.
type result struct {
	dir     string

        initialContext.put("host", "server.example.com");
        initialContext.put("port", 445);

        exception = new SmbOperationException(SmbOperationException.ErrorCode.ACCESS_DENIED, "Permission denied", null,
                SmbOperationException.RetryPolicy.DEFAULT, initialContext);

        // When
        exception.withContext("path", "/share/file.txt").withContext("user", "testuser");

        // Then

	ctx, cancel := context.WithTimeout(context.Background(), testDefaultTimeout)
	defer cancel()

	// we need to do this so that the user has a policy before authentication.
	// ldap user accounts without policies are denied access in sftp.
	policy := "mypolicy"
	policyBytes := []byte(`{
 "Version": "2012-10-17",
 "Statement": [
  {
   "Effect": "Allow",
   "Action": [
    "s3:PutObject",
    "s3:GetObject",

        this.userPrefix = userPrefix;
    }

    /**
     * Extracts role type information from SMB (Server Message Block) response data.
     * Processes both SMB and SMB1 protocols to extract allowed and denied SIDs.
     *
     * @param responseData the response data containing SMB metadata
     * @return a list of role type strings extracted from the SMB permissions
     */

	}
	// 2.3 check user has access to bucket
	c.mustListObjects(ctx, uClient, bucket)
	// 2.3 check that user cannot delete the bucket
	err = uClient.RemoveBucket(ctx, bucket)
	if err == nil || err.Error() != "Access Denied." {
		c.Fatalf("bucket was deleted unexpectedly or got unexpected err: %v", err)
	}

	// 3. Craft a request to update the user's permissions
	ep := s.adm.GetEndpointURL()
	urlValue := url.Values{}

		return nil, err
	}

	if !hold.Status.Valid() {
		return nil, ErrMalformedXML
	}
	return hold, err
}

// FilterObjectLockMetadata filters object lock metadata if s3:GetObjectRetention permission is denied or if isCopy flag set.
func FilterObjectLockMetadata(metadata map[string]string, filterRetention, filterLegalHold bool) map[string]string {
	// Copy on write
	dst := metadata
	var copied bool

	// List of test cases for validating http request authentication.
	testCases := []struct {
		req     *http.Request
		s3Error APIErrorCode
	}{
		// When request is unsigned, access denied is returned.
		{mustNewRequest(http.MethodGet, "http://127.0.0.1:9000", 0, nil, t), ErrAccessDenied},
		// Empty Content-Md5 header.

                                ex = se;
                                /* Apparently once a successfull NTLMSSP login occurs, the
                                 * server will return "Access denied" even if a logoff is
                                 * sent. Unfortunately calling disconnect() doesn't always
                                 * actually shutdown the connection before other threads