The permission descriptor for the
deny-read permissions, which controls
access to reading resources from the local host. The option
scoping the permission to a specific path (and if the path is a directory
any sub paths).
Permission granted under
allow-read only allows runtime code to attempt
to read, the underlying operating system may apply additional permissions.