Relating to both features: commands.allow/commands.deny files: https://www.directadmin.com/features.php?id=1171 and login key allow/deny files: http://help.directadmin.com/item.php?id=523 For both cases, the allow will always override the deny, as it is for various other rues (eg: /etc/hosts.allow vs /etc/hosts.deny), so that logic will not change. However there are some cases where that's very inconvenient, like where you want to allow a User to run all commands, except denied a few. A command example would be to: allow: ALL_USER deny: CMD_LOGIN_KEYS CMD_API_LOGIN_KEYS in the above example, previously Login Keys would be allowed because CMD_LOGIN_KEYS is a subset of ALL_USER, and allow overrides deny. New feature to override the allow, and force a deny command. Internal default: commands_force_deny=CMD_LOGIN_KEYS:CMD_API_LOGIN_KEYS where any commands listed in the commands_force_deny will override the command being in the allow. The variable is a list of commands, seaparated by a colon. The feature really only has any effect when commands are listed in both the allow and the deny. It's basically used as a tie-breaker, to force deny, when a tie would previously allow the command.