000020700 - Why can't users access ClearTrust protected resources when aserver is in active mode?

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020700
Applies ToRSA ClearTrust Authorization Server (AServer)
IssueWhy can't users access ClearTrust protected resources when aserver is in active mode?
When configuring the aserver in active mode by setting the aserver.conf parameter:

cleartrust.aserver.authorization_mode=active

the ClearTrust super-admin expects users to be given access to a resource unless explicitly revoked access. Also, when the setting is set to passive, administrators expect users to be denied access unless explicitly granted access. Thus, without giving entitlements to these users, the super-admin expects the user to be granted access to ClearTrust protected resource, but it doesn't happen.
CauseThis incorrect expectation comes from the statements in the aserver.conf file:

passive - defines that unless a user is explicitly give access, the user will be denied the resource
active - defines that unless a user is explicitly revoked access, the user will be granted access to the resource
ResolutionWhen the authserver mode is set to active, users are still denied access to resources that have been explicitly added in ClearTrust. The only way they can get access to those resources is when administrators give users entitlements to those resources. However, all other resources on the Web server will be available for general access.

When the authserver mode is set to passive, every resource is protected by default, regardless of whether or not it is part of an application. To provide users access to a resource, administrators must explicitly define each resource as part of an application and grant access to users with either an entitlement or a Smart Rule.
Legacy Article IDa18271

Attachments

    Outcomes