000020873 - ClearTrust SmartRule improperly evaluated when user property is NULL

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000020873
Applies ToRSA ClearTrust 5.0.1 Authorization Server (AServer)
Multiple SmartRules
IssueClearTrust SmartRule improperly evaluated when user property is NULL
Cause
SmartRule evaluation stops if a NULL user property is encountered. Multiple rules may not be processed in this instance. This defect has been resolved in ClearTrust hot fix 5.0.1.68.
ResolutionThis issue has been corrected in ClearTrust hot fix 5.0.1.68 - please contact RSA Security Customer Support and request ClearTrust hot fix 5.0.1.68, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels).

After applying the hot fix, the AuthServer will correctly evaluate SmartRule with null value. If a user has a property with a value N/A (not yet entered), a SmartRule based on that property considers the condition met if and only if the operator is IS_NOT_EQUAL_TO or DOES_NOT_CONTAIN (DOES_NOT_CONTAIN is for String property only), regardless of whether the AuthServer is in "passive" or "active" mode.

NOTE: AuthServer evaluates SmartRules in the following order to check if a user is authorized to access a resource:

- If the resource is "Deny access when policy conflicts occur", then:

  1. First evaluates all DENY rules associated with the resource. This step yields DENY result if condition is met for at least one DENY rule.

  2. If step 1 yields no result (no condition met for any DENY rules), then evaluates all ALLOW rules associated with the resource. This step yields ALLOW result if condition is met for at least one ALLOW rule.

  3. If step 1 & 2 yields no result, then evaluates all REQUIRE rules associated with the resource. This step yields DENY result if condition is NOT met for at least one REQUIRE rule, otherwise yields ALLOW result.

- If the resource is "ALLOW access when policy conflicts occur", then:

  1. First evaluates all ALLOW rules associated with the resource. This step yields ALLOW result if condition is met for at least one ALLOW rule.

  2. If step 1 yields no result, then evaluates all DENY rules associated with the resource. This step yields DENY result if condition is met for at least one DENY rule.

  3. If step 1 & 2 yields no result, then evaluates all REQUIRE rules associated with the resource. This step yields DENY result if condition is NOT met for at least one REQUIRE rule, otherwise yields ALLOW result.

NOTE:  REQUIRE rules are always evaluated with the lowest priority.
WorkaroundImplemented a smart rule to allow a user access to an application if the following was true:
    companyCode="DC10" AND ((title=Acct Manager) OR (title=Corrosion Tech))

The smart rule to implement the above business rule looked like the following:

    DENY if companyCode<>DC10;
    ALLOW if title=Acct Manager;
    ALLOW if title=Corrosion Tech;
    Policy Conflict Resolution set to "Deny access when policy conflict occur"

This SmartRule worked in all cases except when companyCode was not defined.
Legacy Article IDa19326

Attachments

    Outcomes