A very common banking scenario is one in which Customer Service Reps (CSRs) need to act on behalf of a given user to help them through problems. This usually occurs when a customer calls a bank, and the CSR needs to essentially log into the online banking system "as" that customer, but without knowing that user's password.
Once they are logged in, there are some things you'd like them NOT to be able to do, like create a new bill payment payee and send bill payments to it. 'Cause that's bad.
I'm trying to figure out how that would be modeled in AzMan, since as near as I can figure there's not such thing as an explicit "deny" in AzMan. All rights are essentially additive, and if any of a user's roles includes a grant, access is granted. At least that's the way it seems to behave, I could be wrong.
In a perfect world, we'd like to be able to simply model "the CSR can do everything the user can, except...".
The only way I can figure to make this work in AzMan right now is to create the CSR role with access to all operations except those on the deny list, then when the CSR logs in, do restrict the AccessCheck against AzMan to only the CSR role, by setting the IAzClientContext's RoleForAccessCheck property. That way, only the CSR's rights are evaluated, even if they are assigned to other roles as well.
Not ideal, but at least it's easy to understand...