I'm trying to create record rules in Odoo to control access to contacts (res.partner). Specifically, I want to:

1. Restrict certain users from viewing contacts with a specific tag.
2. Allow other users to see contacts based on company and partner share conditions.
3. Ensure that no other rule overrides this restriction (i.e., avoid an "allow all" scenario).

However, I noticed that if I have another global record rule that allows users to view all contacts, it seems to override my restriction, granting access again.

Questions:

1. How can I ensure that the restriction on certain users is applied first and cannot be overridden?
2. Would it be better to use separate deny and allow rules, or should I combine everything into a single rule?
3. Is there a way to explicitly deny access rather than relying on "not in" conditions?