When creating or developing test documentation, one thing you need to consider is the permissiveness policy of the application. Is it Least-Permissive or Most-Permissive?

A Least-Permissive policy is one that is the most secure, but remember that things that are more secure are also less user-friendly. In this sort of situation the fallback position is always a deny. If for instance you have some sort of multi-step authentication process and any of the steps say deny, then you cannot get access — even if every other one would have allowed it

A Most-Permissive is the opposite (duh). If anything in the processing chain says that the action is allowed or you are unsure, then it is.

You might be tempted to use a hybrid approach where some parts of the application is one and another is the other, but this produces an internal inconsistency and will likely confuse users about what they can be expected to be able to do.

Both have their place in the application landscape, but these are key context determiners, so make sure you know what your application is trying to follow.