negative IResourceAclEntry entries?

Hallo,

is it possible to use negative ACL entries for a resource? I mean, the API provides a check for isNegative() but I have never seen a negative IResourceAclEntry yet. Besides, I could not figure out how to specify a deny Permission within the KMC. The only thing I could manage to do is the "normal" specification of allow-permissions and service permissions. Perhaps anybody knows how to set a negative permission for a resource within the KMC-Portal area.

Thanks in advance,

Christian Vogt