Deny is used whenever we just want to disable some functionality.

EnforceCreate requires create action granted on asset.

EnforceDelete requires delete action granted on asset.

EnforceRead requires read action granted on asset.

EnforceUpdate requires update action granted on asset.

FilterRead replaces asset with censored version if read action is not granted.