So far, we have assumed that an access matrix contains either positive rights or no rights. We have not assumed the existence of explicit negative rights. Without inheritance, negative rights are not needed: the absence of a right (in the access matrix, capability list, or access list) implies denial of access. With inheritance, however, the rule changes. If a right is given to a general group but not a specific member, the member inherits the right even though no right was explicitly given to it. For instance, if the Write right is given to 242 but not student joe in the class, then we assume that the right is given to joe (and all other students in the class).
Absence of negative rights does not create any problem when a whole group is to be given some access right but becomes painful to use when all but a few members of a large group have to be given the right. For instance, what if the Write right is to be given to 242 but not student joe in the class? Without negative rights, I would have to explicitly give all but one member of the group the positive right, and thus not make use of the power of inheritance. Therefore, systems that support inheritance also allow explicit specification of negative rights denying access.
Continuing with the example, I could give all but one member of the group 242 the write rights to an object by giving the group 242 the positive Write right and the particular member the negative Write right.