# Rules/Exclusions

In addition to the normal permissions, you can also make "exceptions". For example, you can deny a user all actions in your cluster, but give access to work only in a specific group.

To do this, you remove all user rights on the cluster and click "add new rule" button, where you select the desired group and set the rights for it.

You can do the same, but in reverse: give the user access to all actions in the cluster, but prohibit working in a specific group or with a specific profile.