Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an ADMINISTRATIVE user. INSTEAD, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they MIGHT have only partial access to some objects, for example they might be able to view, but not MODIFY specific objects. However, you can use collection membership to EXCLUDE collections from a collection that is assigned to an administrative user.

Role-based administration does not support an explicit deny action on security roles, security scopes, or collections assigned to an administrative user. Instead, configure security roles, security scopes, and collections to grant permissions to administrative users. If users do not have permissions to objects by use of these role-based administration elements, they might have only partial access to some objects, for example they might be able to view, but not modify specific objects. However, you can use collection membership to exclude collections from a collection that is assigned to an administrative user.