I understand that if for an access group there are two access roles defined such that access role A grants access for a class and the other access role B doesn't grant access then PEGA chooses the most permissible setting meaning that access is granted if at least one access role allows it. Can somebody confirm on the below if my understanding is correct
1. If I add third access role C which has access deny defined for the class then access won't be granted because access deny overrides all the other access roles which granted the access.
2. In the access role C does the access deny need to be defined for the most specific class similar to ARO or access deny will be applicable even if defined for any hierarchy class