diff --git a/ansible_base/authentication/utils/claims.py b/ansible_base/authentication/utils/claims.py
index 8f2e21413..eff0c1e64 100644
--- a/ansible_base/authentication/utils/claims.py
+++ b/ansible_base/authentication/utils/claims.py
@@ -120,10 +120,11 @@ def create_claims(authenticator: Authenticator, username: str, attrs: dict, grou
         rule_responses.append({mpk: has_permission, 'enabled': auth_map.enabled})
 
         understood_map = False
-        if auth_map.map_type == 'allow' and not has_permission:
-            # If any rule does not allow we don't want to return this to true
-            access_allowed = False
-            understood_map = True
+        if auth_map.map_type == 'allow':
+            if not has_permission:
+                # If any rule does not allow we don't want to return this to true
+                access_allowed = False
+                understood_map = True
         elif auth_map.map_type == 'is_superuser':
             is_superuser = has_permission
             understood_map = True