Is there an existing issue for this?

• I have searched the existing issues

Problem statement

As noted during #1803, legacy ACLs may contain DENY rules interspersed amongst GRANT permissions. These are not supported by UC and cannot be migrated. As of #1815 these are handled during group migration, but during table migration the ACLs will be dropped and a warning generated.

This may be problematic for customers because it means additional users will end up having permissions on migrated tables, and it's not a 'fail-safe' situation.

Users should be warned earlier than table migration about this being a problem because fixing this might be quite time-consuming.

Proposed Solution

During assessment we should detect and report on the presence of DENY ACLs.

Additional Context

No response