You can grant access or deny access to entries. Denied access has precedence over granted access. When you deny specific users or groups access to an entry, you replace other security policies that grant access to the entry.
If the grant and deny permissions are in conflict, access to the entry is always denied. For example, a user belongs to two groups. One group has access granted to a report and the other group has access denied to the same report. Access to this report is denied for the user.
Deny access only when it is really required. Typically, it is a better administrative practice to grant permissions than to deny them.
