|Applies To||RSA ClearTrust Authorization Server (AServer)|
|Issue||Why can't users access ClearTrust protected resources when aserver is in active mode?|
When configuring the aserver in active mode by setting the aserver.conf parameter:
the ClearTrust super-admin expects users to be given access to a resource unless explicitly revoked access. Also, when the setting is set to passive, administrators expect users to be denied access unless explicitly granted access. Thus, without giving entitlements to these users, the super-admin expects the user to be granted access to ClearTrust protected resource, but it doesn't happen.
|Cause||This incorrect expectation comes from the statements in the aserver.conf file:|
passive - defines that unless a user is explicitly give access, the user will be denied the resource
active - defines that unless a user is explicitly revoked access, the user will be granted access to the resource
|Resolution||When the authserver mode is set to active, users are still denied access to resources that have been explicitly added in ClearTrust. The only way they can get access to those resources is when administrators give users entitlements to those resources. However, all other resources on the Web server will be available for general access.|
When the authserver mode is set to passive, every resource is protected by default, regardless of whether or not it is part of an application. To provide users access to a resource, administrators must explicitly define each resource as part of an application and grant access to users with either an entitlement or a Smart Rule.
|Legacy Article ID||a18271|