User privileges should be managed primarily through the use of group mappings, which are inclusive. However, if it is necessary to specifically prevent a Windows group or user from being associated with a particular OnBase User Group, that user or group can be mapped to the Exclusions for the OnBase User Group. Adding a user or group to the Exclusions is analogous to the Windows Deny permission.
To explicitly exclude an Active Directory user or group from an OnBase User Group, use drag-and-drop mouse functionality in the Active Directory - Enhanced dialog box:
If a user or group is excluded from a User Group in OnBase, that user or the group's members are not granted the OnBase rights for that User Group. However, if a user or group is mapped to multiple OnBase User Groups, the user or group's members will retain any rights to OnBase User Groups they are not excluded from.
For example, if a user is a member of both OnBase User Group A and B, and both User Groups have Indexing rights, then the user retains Indexing rights in OnBase if they are only excluded from User Group A or B, because they are still a member of the other group.
To prevent an Active Directory user or members of an Active Directory group from logging in to OnBase altogether, add them to the root Exclusions node at the bottom of the Groups pane: