You create ACLs that control access to services and files and assign them to the specific services and files that you want to protect.

To grant access to a service or file, the server first uses internally-defined information to determine whether the client is a member of allowed or denied groups listed in the ACL. If the server cannot find the information internally, it obtains externally defined information to determine if the ACL allows or denies access.

If you want to allow an externally defined user access to a service or file, update the ACL that protects the service or file to identify the external user's group or role as an Allowed group in the ACL. Similarly, if you want to explicitly deny an externally defined user access to a service or file, update the ACL that protects the service or file to identify the external user's group or role as a Denied group in the ACL.