docs: Add warning to avoid deny rules in Access Lists

docs/pages/enroll-resources/application-access/okta/sync-scim.mdx

@@ -96,7 +96,7 @@ resources.
 Given a case where
  1. the synchronization process detects that an Okta user has been deactivated
     or suspended, or
- 2. the Okta organization explicitly disables the account via SCIM,
+ 1. the Okta organization explicitly disables the account via SCIM,
 
 The Okta integration will immediately delete the corresponding Teleport
 account and create a temporary Teleport user lock. The user lock will

docs/pages/reference/access-controls/access-lists.mdx

@@ -168,6 +168,13 @@ spec:
       - required_value1
 ```
 
+## Access Lists and Deny Rules
+
+Use of [deny rules](./roles.mdx) in Access List roles is discouraged.
+Access Lists are not intended to be used as a tool for privilege reduction,
+and Teleport may assume it is safe to ignore Access Lists under certain conditions.
+Roles intended to reduce privileges should be assigned directly to users.
+
 ## Managing Access Lists from the CLI
 
 In addition to using the web UI, Access Lists can be created and managed from the CLI

docs/pages/reference/access-controls/roles.mdx

@@ -12,6 +12,7 @@ A Teleport role manages access by having two lists of rules: `allow` rules and
 
 - Nothing is allowed by default.
 - Deny rules get evaluated first and take priority.
+- Deny rules should be avoided on roles granted through Access Lists.
 
 You can use any of the following to manage Teleport roles and other dynamic
 resources:
@@ -571,7 +572,7 @@ attribute or OIDC claim called `trait`.
 
 You can specify an external trait in dot syntax if it begins with a letter and
 contains only letters, numbers, and underscores. Otherwise, you must use bracket
-syntax to specify a trait. 
+syntax to specify a trait.
 
 When using Azure AD or ADFS as your IdP, you must use bracket notation, as these
 IdPs assign attribute keys to URLs such as the following: