Article Content
Article Number | 000020873 |
Applies To | RSA ClearTrust 5.0.1 Authorization Server (AServer) Multiple SmartRules |
Issue | ClearTrust SmartRule improperly evaluated when user property is NULL |
Cause | SmartRule evaluation stops if a NULL user property is encountered. Multiple rules may not be processed in this instance. This defect has been resolved in ClearTrust hot fix 5.0.1.68. |
Resolution | This issue has been corrected in ClearTrust hot fix 5.0.1.68 - please contact RSA Security Customer Support and request ClearTrust hot fix 5.0.1.68, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). After applying the hot fix, the AuthServer will correctly evaluate SmartRule with null value. If a user has a property with a value N/A (not yet entered), a SmartRule based on that property considers the condition met if and only if the operator is IS_NOT_EQUAL_TO or DOES_NOT_CONTAIN (DOES_NOT_CONTAIN is for String property only), regardless of whether the AuthServer is in "passive" or "active" mode. NOTE: AuthServer evaluates SmartRules in the following order to check if a user is authorized to access a resource: - If the resource is "Deny access when policy conflicts occur", then: 1. First evaluates all DENY rules associated with the resource. This step yields DENY result if condition is met for at least one DENY rule. 2. If step 1 yields no result (no condition met for any DENY rules), then evaluates all ALLOW rules associated with the resource. This step yields ALLOW result if condition is met for at least one ALLOW rule. 3. If step 1 & 2 yields no result, then evaluates all REQUIRE rules associated with the resource. This step yields DENY result if condition is NOT met for at least one REQUIRE rule, otherwise yields ALLOW result. - If the resource is "ALLOW access when policy conflicts occur", then: 1. First evaluates all ALLOW rules associated with the resource. This step yields ALLOW result if condition is met for at least one ALLOW rule. 2. If step 1 yields no result, then evaluates all DENY rules associated with the resource. This step yields DENY result if condition is met for at least one DENY rule. 3. If step 1 & 2 yields no result, then evaluates all REQUIRE rules associated with the resource. This step yields DENY result if condition is NOT met for at least one REQUIRE rule, otherwise yields ALLOW result. NOTE: REQUIRE rules are always evaluated with the lowest priority. |
Workaround | Implemented a smart rule to allow a user access to an application if the following was true: companyCode="DC10" AND ((title=Acct Manager) OR (title=Corrosion Tech)) The smart rule to implement the above business rule looked like the following: DENY if companyCode<>DC10; ALLOW if title=Acct Manager; ALLOW if title=Corrosion Tech; Policy Conflict Resolution set to "Deny access when policy conflict occur" This SmartRule worked in all cases except when companyCode was not defined. |
Legacy Article ID | a19326 |