There is one common mistake which often PD Server administrators make when trying to organize shared and exclusive access on different objects in a single database for different users simultaneously. They set up FULL access on the entire database for User1 and then using the 'Deny' flag in order to exclude some objects from the access of the user as in the below picture:
Another variant of this error is when the READ access is provided to ALL databases to all users in the Default Server policies as here:
The above approach is wrong as it allows full read access by default, that is a restricted user (User1) will have full read access to all new objects created in the root folder of database by other users intentionally or by error. It is also highly not recommended to use the Deny flag for routine rights assignments because of its specifics. Normally any common right assignment tasks can be made without using of the Deny flag.
Let us consider a simple example: In a single database, users User1 and User2 must have private folders for exclusive access and one common folder for shared access. Then for entire database we grant to User1 and User2 only USE access but in no case READ/DELETE/MODIFY access:
Now we grant rights on folders in the database:
User1 gets full access to Folder for User1 and Shared Folder
User2 gets full access to Folder for User2 and Shared Folder
Instead of User1 and User2 of course can be used group objects, so that all members of that groups will have only access to their own or shared folders and no access to any newly created entries or folders in other places.