diff --git a/vault/acl.go b/vault/acl.go
index f8871f682..a0f9b578a 100644
--- a/vault/acl.go
+++ b/vault/acl.go
@@ -243,7 +243,8 @@ CHECK:
 	case logical.CreateOperation:
 		operationAllowed = capabilities&CreateCapabilityInt > 0
 
-	// These three re-use UpdateCapabilityInt since that's the most appropriate capability/operation mapping
+	// These three re-use UpdateCapabilityInt since that's the most appropriate
+	// capability/operation mapping
 	case logical.RevokeOperation, logical.RenewOperation, logical.RollbackOperation:
 		operationAllowed = capabilities&UpdateCapabilityInt > 0
 
@@ -255,7 +256,8 @@ CHECK:
 		return false, sudo
 	}
 
-	// Only check parameter permissions for operations that can modify parameters.
+	// Only check parameter permissions for operations that can modify
+	// parameters.
 	if op == logical.UpdateOperation || op == logical.DeleteOperation || op == logical.CreateOperation {
 		// Check if all parameters have been denied
 		if _, ok := permissions.DeniedParameters["*"]; ok {
@@ -271,7 +273,12 @@ CHECK:
 			// Check if parameter has explictly denied
 			if valueSlice, ok := permissions.DeniedParameters[parameter]; ok {
 				// If the value exists in denied values slice, deny
-				return !valueInParameterList(value, valueSlice), sudo
+				if valueInParameterList(value, valueSlice) {
+					return false, sudo
+				}
+				// If the value doesn't exist in the denied values slice,
+				// continue
+				continue
 			}
 
 			// Specfic parameters have been allowed
@@ -280,16 +287,17 @@ CHECK:
 				if valueSlice, ok := permissions.AllowedParameters[parameter]; !ok {
 					return false, sudo
 				} else {
-					// If the value exists in the allowed values slice, allow
-					return valueInParameterList(value, valueSlice), sudo
+					// If the value doesn't exists in the allowed values slice,
+					// deny
+					if !valueInParameterList(value, valueSlice) {
+						return false, sudo
+					}
 				}
 			}
 		}
-
-		return true, sudo
 	}
 
-	return operationAllowed, sudo
+	return true, sudo
 }
 
 func valueInParameterList(v interface{}, list []interface{}) bool {
diff --git a/vault/acl_test.go b/vault/acl_test.go
index 0eca30f76..e8779a728 100644
--- a/vault/acl_test.go
+++ b/vault/acl_test.go
@@ -338,6 +338,8 @@ func TestACL_ValuePermissions(t *testing.T) {
 		{"foo/baz", []string{"allow"}, []interface{}{"good"}, true},
 		{"foo/baz", []string{"deny"}, []interface{}{"bad"}, false},
 		{"foo/baz", []string{"deny"}, []interface{}{"good"}, true},
+		{"foo/baz", []string{"allow", "deny"}, []interface{}{"good", "bad"}, false},
+		{"foo/baz", []string{"deny", "allow"}, []interface{}{"good", "bad"}, false},
 		{"foo/baz", []string{"allow"}, []interface{}{"bad"}, false},
 		{"foo/baz", []string{"neither"}, []interface{}{"bad"}, false},
 		{"fizz/buzz", []string{"allow_multi"}, []interface{}{"good"}, true},