There is a system (windows, asp.net application, linux, whatever...), in this system many user groups exist in the system.
We have one user in two user groups A and B.
In user group A access to folder XY is allowed.
In user group B access to folder XY is denied.
How is the conflict like this resolved?
What are the recommendations/best practices to avoid this situation?
The Principal of Least Privilege states that the best practice is to ensure that the default state should be to deny access. The user rights system should be used to to add access rights to groups that need it. Under least privilege it should never be necessary to ever ban access.
Of course, while its very difficult to manage, sometimes being able to apply ban permissions as well is pragmatically useful. To be useful, the deny should be stronger than the allow.