A security policy determines whether a user has access to a particular object. In an Oracle ATG Web Commerce application, the standard security policy is in Nucleus at /atg/dynamo/security/SecurityPolicy. This instance of the atg.security.StandardSecurityPolicy object provides the following policy:

Note: This policy differs slightly from the java.security.acl policy, where a combination of positive and negative ACL entries with the same Principal negate each other, providing no change to the access control for that Principal. This differentiation is deliberate; in no case should an explicit deny access control entry be ignored.