When authenticating by user, it is better to assign policies by 1. denying all first, then allowing by user/group 2. allowing all first, then denying by user/group Is one trickier than the other? Thanks in advance for your help, Jill