Skip navigation

Log in to create and rate content, and to follow, bookmark, and share content with other members.

000020873 - ClearTrust SmartRule improperly evaluated when user property is NULL

Document created by RSA Customer Support

on Jun 16, 2016•Last modified by RSA Customer Support

on Apr 21, 2017

Version 2Show Document

Like • Show 0 Likes0
Comment • 0
View in full screen mode

Article Content

Article Number	000020873
Applies To	RSA ClearTrust 5.0.1 Authorization Server (AServer) Multiple SmartRules
Issue	ClearTrust SmartRule improperly evaluated when user property is NULL
Cause	SmartRule evaluation stops if a NULL user property is encountered. Multiple rules may not be processed in this instance. This defect has been resolved in ClearTrust hot fix 5.0.1.68.
Resolution	This issue has been corrected in ClearTrust hot fix 5.0.1.68 - please contact RSA Security Customer Support and request ClearTrust hot fix 5.0.1.68, or request the latest fix level (which is cumulative, and contains fixes from previous fix levels). After applying the hot fix, the AuthServer will correctly evaluate SmartRule with null value. If a user has a property with a value N/A (not yet entered), a SmartRule based on that property considers the condition met if and only if the operator is IS_NOT_EQUAL_TO or DOES_NOT_CONTAIN (DOES_NOT_CONTAIN is for String property only), regardless of whether the AuthServer is in "passive" or "active" mode. NOTE: AuthServer evaluates SmartRules in the following order to check if a user is authorized to access a resource: - If the resource is "Deny access when policy conflicts occur", then: 1. First evaluates all DENY rules associated with the resource. This step yields DENY result if condition is met for at least one DENY rule. 2. If step 1 yields no result (no condition met for any DENY rules), then evaluates all ALLOW rules associated with the resource. This step yields ALLOW result if condition is met for at least one ALLOW rule. 3. If step 1 & 2 yields no result, then evaluates all REQUIRE rules associated with the resource. This step yields DENY result if condition is NOT met for at least one REQUIRE rule, otherwise yields ALLOW result. - If the resource is "ALLOW access when policy conflicts occur", then: 1. First evaluates all ALLOW rules associated with the resource. This step yields ALLOW result if condition is met for at least one ALLOW rule. 2. If step 1 yields no result, then evaluates all DENY rules associated with the resource. This step yields DENY result if condition is met for at least one DENY rule. 3. If step 1 & 2 yields no result, then evaluates all REQUIRE rules associated with the resource. This step yields DENY result if condition is NOT met for at least one REQUIRE rule, otherwise yields ALLOW result. NOTE: REQUIRE rules are always evaluated with the lowest priority.
Workaround	Implemented a smart rule to allow a user access to an application if the following was true: companyCode="DC10" AND ((title=Acct Manager) OR (title=Corrosion Tech)) The smart rule to implement the above business rule looked like the following: DENY if companyCode<>DC10; ALLOW if title=Acct Manager; ALLOW if title=Corrosion Tech; Policy Conflict Resolution set to "Deny access when policy conflict occur" This SmartRule worked in all cases except when companyCode was not defined.
Legacy Article ID	a19326

Attachments

Outcomes

0 Comments

Recommended Content