000022518 - How does 'Deny access when policy conflicts occur' work in RSA ClearTrust?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022518
Applies ToRSA ClearTrust 5.5.x Entitlements Manager (Admin GUI)
RSA ClearTrust 5.5.x Authorization Server (AServer)
IssueHow does "Deny access when policy conflicts occur" work in RSA ClearTrust?
User is denied access, even though a specific RSA ClearTrust entitlement allows them access to the resource
RSA ClearTrust Authorization Server debug output shows the following transaction:

13:01:09:048 [*] [MUXWORKER-2] - User user2 has 2 entitlements
13:01:09:048 [*] [MUXWORKER-2] - Entitled entity is: myGroup at distance 0
13:01:09:048 [*] [MUXWORKER-2] - We have 2 entitlements
13:01:09:048 [*] [MUXWORKER-2] - Entitlement is allow: true
13:01:09:048 [*] [MUXWORKER-2] - Entitlement is allow: false
13:01:09:048 [*] [MUXWORKER-2] - Auth Decision is AuthResult.GROUP_ENTITLEMENT_DENY
CauseIf there are two entitlements for an RSA ClearTrust protected resource - and one of them allows and one denies access - if either of the resources is set to "Deny access when policy conflicts occur", then the user will not be able to access the resource. This is the expected behavior.
ResolutionRemove the "Deny access when policy conflicts occur" from the rule. This ensures that only users with entitlements to that resource will be able to access it.
Legacy Article IDa28968