000024731 - Smart Rule mapping for Boolean Expression in RSA ClearTrust

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000024731
Applies ToRSA ClearTrust 5.5.2
Microsoft Windows 2000 SP4
IssueSmart Rule mapping for Boolean Expression in RSA ClearTrust
If the boolean expression is incorrectly translated into Smart Rule operators, some users may incorrectly be able to access the ClearTrust-protected resource contents, while others may receive the ct_access_denied.html page
CauseThis is to provide some clear definitions of the mapping between boolean expressions (AND, OR) with ClearTrust Smart Rule operators (DENY, ALLOW, REQUIRE)
ResolutionGiven the access control is to allow users access to ClearTrust-protected resources if "(d AND e) OR c" evaluates to TRUE. c, d, and e are the certain conditions that must be met (e.g. <user attribute name>=<specific value>, for instance - Age > 21).

First, set up a protected resource and a user who has no entitlement to this resource, but will have access based solely on smart rules.

Then, create an application within ClearTrust to house the protected resource. The application itself is set for Allow access when policy conflict occurs. The protected resource is also set for Allow access when policy conflict occurs. This setting governs that Allow rules will be evaluated before any Deny rules.

Next, set up 3 rules:

ALLOW if condition c is true

REQUIRE d=meets some specific condition

REQUIRE e=meets some other specific condition

NOTE: With the Allow access when policy conflict occurs setting, the ALLOW rule is executed first and functions as the OR operator. If the c condition is true, there is no need to process the other rules and access is granted. If the c condition is false, the REQUIRE rules are executed next.

With respect to REQUIRE rules, all such rules must evaluate to true for the overall value to be true, whereas if one of the REQUIRE rules evaluates to false, there is no need to process the remaining REQUIRE rules and the overall result is false. The REQUIRE rule operates as the AND operator.
Legacy Article IDa22238

Attachments

    Outcomes