Denied read in acl

If i have a acl file with read mode for everybody, how can i denied someone that access?

I mean, if i have a rule like that for everybody:

   @prefix   acl:  <http://www.w3.org/ns/auth/acl#>.
    @prefix  foaf:  <http://xmlns.com/foaf/0.1/>.

    <#authorization2>
        a               acl:Authorization;
        acl:agentClass  acl:AuthenticatedAgent;                   # everyone
        acl:mode        acl:Read;                                 # has Read-only access
        acl:accessTo    <https://alice.example.com/docs/shared-file1>;  

and another rule for someone like that:

@prefix  acl:  <http://www.w3.org/ns/auth/acl#>.

<#authorization1>
    a             acl:Authorization;
    acl:accessTo  <https://alice.example.com/docs/shared-file1>;
    acl:agent     <https://bob.example.com/profile/card#me>.

does bob have acces to shared-file1?

Yes you can have different rules for different agents on the same resource. In fact, look at the ACL file for your /public/ folder. You’ll see that the owner has all permissions but the general public only has read permission.

In your example, you could give Bob and only Bob Write access. If all you want to do is give Bob read access, you don’t need the second statement because he, as an authenticated user, is granted that in the first statement.

AFAIK, there is currently no way to allow access to everyone except Bob and no way to specifically say that an agent is denied access. It seems to me that something like “acl:mode None” would allow you to do this but that’s not in the spec.

Ok, thanks, i will search more about the “acl:mode none”.
It would we really good if acl could manage the denied permissions easy, a lot of apps and options could be make.

I just made up acl:None as an example, AFAIK it doesn’t exist.