All, Apache Ranger policy model enhancement to support deny-conditions and exceptions (RANGER-606<https://issues.apache.org/jira/browse/RANGER-606>) is available in tag-policy branch<https://github.com/apache/incubator-ranger/tree/tag-policy>. This enhancement adds the capability to explicitly deny access to resources based on users/groups, access-types and custom-conditions. It also supports allow/deny to be specified for a wider group (like employees, public, etc) but exclude specific users/groups who might be part of the wider groups.
An overview of the implementation, along with few examples is available in Apache wiki page here<https://cwiki.apache.org/confluence/display/RANGER/Deny-conditions+and+exceptions+in+Ranger+policies>. Please review. Thanks, Madhan
