To determine whether a user has a certain privilege, first the role policy is checked. If the user belongs to a role that has been granted/denied that privilege then the user is deemed to have been granted/denied that privilege. If a conclusive answer is not found, which is possible because the privileges may have been delegated, the object's security policy is checked. If the user belongs to a role that has been granted/denied that privilege then the user is deemed to have been granted/denied that privilege. If no conclusive answer is found, the user is denied access.