|Applies To||RSA ClearTrust 5.0|
|Issue||How does ClearTrust evaluate a recursive group or circular reference in a group hierarchy?|
|Resolution||ClearTrust supports recursive Groups. Under normal circumstances, ClearTrust evaluates the 'level' at which an entitlement applies in order to work out the precedence. Entitlements at the lowest level have precedence over Entitlements assigned higher.|
Therefore, if you have a group defined as Group1/Group2/Group3, Entitlements in Group3 take precedence over Entitlements in Group1 or Group2. So if Group1 is allowed, and Group3 is denied, a user in both groups will be denied.
When evaluating any group tree (including trees with recursive entries), the program traverses from the entry point (where the user resides) up the tree until encounters the end of the tree, or the group itself again. The level of the Entitlement is the number of groups above the entry. For groups with n parents, the level is n. For groups with no parents, the level is zero.
NOTE: For groups with recursive entries, the level is evaluated to zero.
Thus, if you have a recursive group defined as; Group1/Group2/Group3/Group1/Group2....etc, a user in any group is assumed to be a member of all groups. All groups are evaluated with the same weight. If all groups deny, the result is deny; if all groups allow, the result is allow; if some groups allow and some deny, the result is based on resolution setting in the application.
NOTE: The processing penalty for evaluating these recursive relationships is minor.
|Legacy Article ID||a14784|