return nil, err
	}

	if !hold.Status.Valid() {
		return nil, ErrMalformedXML
	}
	return hold, err
}

// FilterObjectLockMetadata filters object lock metadata if s3:GetObjectRetention permission is denied or if isCopy flag set.
func FilterObjectLockMetadata(metadata map[string]string, filterRetention, filterLegalHold bool) map[string]string {
	// Copy on write
	dst := metadata
	var copied bool

            }
        }
    }

    /**
     * Builds role-based query filters using the provided role set.
     * This method adds should clauses for allowed roles and must-not clauses for denied roles.
     *
     * @param roleSet the set of roles to use for filtering
     * @param boolQuery the boolean query builder to add role filters to
     */

                localLogMsg.get());
    }

    // ===== Access Denied Audit Log Tests =====

    @Test
    public void test_accessDenied() {
        activityHelper.useEcsFormat = false;
        activityHelper.accessDenied(OptionalThing.empty(), "/admin/user/");

		if store.getUsersSysType() == MinIOUsersSysType {
			g, ok := c.iamGroupsMap[group]
			if !ok {
				continue
			}

			// Group is disabled, so we return no policy - this
			// ensures the request is denied.
			if g.Status == statusDisabled {
				continue
			}
		}

		policy, ok := c.iamGroupPolicyMap.Load(group)
		if !ok {
			continue
		}

		policies = append(policies, policy.toSlice()...)

                                ex = se;
                                /* Apparently once a successfull NTLMSSP login occurs, the
                                 * server will return "Access denied" even if a logoff is
                                 * sent. Unfortunately calling disconnect() doesn't always
                                 * actually shutdown the connection before other threads

	errEncryptedObject                = errors.New("The object was stored using a form of SSE")
	errInvalidSSEParameters           = errors.New("The SSE-C key for key-rotation is not correct") // special access denied
	errKMSNotConfigured               = errors.New("KMS not configured for a server side encrypted objects")
	errKMSKeyNotFound                 = errors.New("Unknown KMS key ID")

## Configuring AD/LDAP on MinIO

			secretKey:          credentials.SecretKey,
			expectedContent:    encodedErrorResponse,
			expectedRespStatus: http.StatusOK,
		},
		// Test case - 5.
		// Anonymous user access denied response
		// Currently anonymous users cannot delete multiple objects in MinIO server
		5: {
			bucket:             bucketName,
			objects:            anonRequest,
			accessKey:          "",

			//   HTTP status code 404 ("no such key")
			//   error.
			// * if you don’t have the s3:ListBucket
			//   permission, Amazon S3 will return an HTTP
			//   status code 403 ("access denied") error.`
			if globalPolicySys.IsAllowed(policy.BucketPolicyArgs{
				Action:          policy.ListBucketAction,
				BucketName:      bucket,
				ConditionValues: getConditionValues(r, "", auth.AnonymousCredentials),

requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed.  Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.