Morpho uses 'allowFirst' by default when building access control
When inserting access control sections into EML documents created by Morpho, Morpho defaults to using a permission order of 'allowFirst' rather than 'denyFirst'. This creates an unintended problem when a deny statement is inserted for public access. For instance, the data-managers group below will be denied access after it has been granted access in the allow statement because it, too, belongs to the 'public' (everyone) group.
If the above had a permission order set to 'denyFirst', public read access would be denied, and then the allow statement would 'punch through' and provide all access to the data-managers group (which is the intention of this access statement).
Morpho should be configured to default to 'denyFirst' when creating acls to avoid this situation.