Change the Access Evaluation Flow so that Allow overwrites Deny

[lennyhorstink2]

In the Access evaluation flow the first two steps are:

1. If any rule defines an explicit deny, the evaluation results with deny.
2. If at least one rule defines an explicit allow, the evaluation results with allow.

In multiple projects we need it the other way around, so that when any rule defines an explicit Allow, the evaluation results with Allow.

A use case I've experienced is where a user named X needs access to two namespaces. For example, the CRM and the Case Management Solution. The user X has normal CRM access permissions with the "CRM User" role. By default that user role does not give access to the Case Management Solution because we don't want all CRM users to have access to the Case Management solution.

For the Case Management Solution access there is the role "Case Management User". This explicitly allows access to that namespace. User X also gets this role, because he needs to be a "CRM User" and "Case Management User".

But, this doesn't work. The user will not be able to see the Case Management solution because the "CRM role" denies access.

What I would suggest is the following:

1. If any rule defines an explicit allow, the evaluation results with allow.
2. If at least one rule defines an explicit deny, the evaluation results with deny.

This makes more sense. When a user has multiple roles it's normally to grant more permissions instead of giving the user less permissions.