I am not sure about this .. also would be good to explain more with an example.

I believe this is true, but ordering shouldn't matter. Each access control is independent from the others.

well.. if they are independent.. what does that mean .. are the evaluted in order . what if the first on does a deny .. but the second one would be granting access ..

Any individual deny results in deny as the final result. So it doesn't really matter which does this first :)

So if there is a deny in the first access control system .. will it continue evaluating or return immediately without checking any others?

It will stop on first deny, but the point is that this should be treated as a set, not a list - so "any of" not "first of". But maybe I'm nit-picking too much :)

No .. this is important to know .. so if it is a set .. and not ordered .. does that mean that admins can not rely on the order of the config files and use that for performance improvements .. for example if it is ordered you could recommend that the most restrictive access control is first in the list, or if some are fast (file based maybe) and others are slow (opa with external IO calls and service) then maybe its good to have the fast one first in the list ..

but if the list is not ordered .. all that advice is potentially wrong/meaningless

I have removed the ordered mention for now .. and think we can leave it at that. We can always iterate later as well.

Well, it is ordered, but I would consider this an implementation detail. I don't know if it's intentional, but I would be wary of users actually relying on this ordering.

does that mean that admins can not rely on the order of the config files and use that for performance improvements

Does this actually come up in practice? Access controls are not supposed to be noticeably slow (they run during analysis and making analysis slower makes people nervous, AFAICT). We may be trying to prematurely optimize things.

Also, further in the document we say that configuring multiple access controls is not recommended anyway :)

Fair enough .. and to be clear .. I am not sure if this comes up in practice .. but I would be surprised if there are not performance hits from it .. esp with more complex ones like OPA .. I know for a fact that the scripts there can be a performance issue.. so the overall access control is then affected.. so it might make sense to be able to give such advice... also I know that in other such setups we talk about order (I think authentication types) and I think it is on purpose there ..

can you make chime in @dain ..

I believe this is true, but ordering shouldn't matter. Each access control is independent from the others.