There is one common mistake PD Server administrators often do when trying to organize shared and exclusive access on different objects for different users in a database simultaneously.
They enable full access on the entire database for User1 and also use the "Deny" flag in order to exclude users to access some objects (see picture below):
Another possibility of causing this error is when reading access is provided to all users for the whole database in the Default Server Policies, as you can see here:
The above approach is wrong as it allows full reading access by default. This means that a restricted user (User1) will have full reading access to all new objects created in the root folder of the database done by other users intentionally or by error.
Besides, it is further not recommended to use the "Deny" flag for routine rights assignments because of its specifics. Usually, any common right assignment task can be made without using the Deny flag.
Here is a simple example: In a database, users User1 and User2 need to have private folders for exclusive access and one common folder for shared access. In this case we grant to User1 and User2 only using access but no reading/deleting/modifying access in any case:
Now, we grant rights on sepcific folders in the database:
User1 gets full access to Folder for User1 and Shared Folder
User2 gets full access to Folder for User2 and Shared Folder
Of course, group objects can also be used here instead of User1 and User2, so that all members of these groups will have access to their own or shared folders only and no access to any newly created entries or folders in this database.