Hi, we are getting issue with multiple policies/permission.
- Policy A - user A with scope A,B,C works fine.
- Policy B - user B with scope B,C,D gives 403.
3.Policy C - user C with scope C,D,E gives 403.
If User B is added to Policy A it works fine and retunes combined result of scope A,B,C,D.
For User C we need to this add this user to both policy A,B and it works fine and retunes combined result of scope A,B,C,D,E.
We want this to work independently. For user B and C to work by adding them to policy B for user B and policy C for user C.
Both Policies are Positive and Both Permissions are Affirmative.
In Evaluate page it shows as expected but from Postman it gives error
JSON from Authorization Export
{
“allowRemoteResourceManagement”: false,
“policyEnforcementMode”: “ENFORCING”,
“resources”: [
{
“name”: “ResourceA”,
“type”: “urn:generic-rest-api:resources:employees”,
“ownerManagedAccess”: false,
“attributes”: {},
“_id”: “1b41c828-b78f-44da-84ab-e62a0b4843b5”,
“uris”: [
“/v1/employees/"
],
“scopes”: [
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:accessRole:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:address:view”
}
]
},
{
“name”: “ResourceB”,
“type”: “urn:generic-rest-api:resources:employees”,
“ownerManagedAccess”: false,
“displayName”: “ResourceB”,
“attributes”: {},
“_id”: “6237e427-55ef-4c1e-9e3d-714e5bfe31c9”,
“uris”: [
"/v1/employees/”
],
“scopes”: [
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:companyid:view”
},
{
“name”: “urn:generic-rest-api:scopes:employees:attribute:authorizedAmount:view”
}
]
},
{
“name”: “Default Resource”,
“type”: “urn:employee-rest-api:resources:default”,
“ownerManagedAccess”: false,
“attributes”: {},
“_id”: “fb476666-f779-4a86-8234-d49e897f6405”,
“uris”: [
“/*”
]
}
],
“policies”: [
{
“id”: “1e08f5f3-a766-416b-9448-50716dd0580b”,
“name”: “PolicyB”,
“type”: “user”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“users”: “["UserB"]”
}
},
{
“id”: “8f90f109-0c7b-4caa-9620-50b7d36bd463”,
“name”: “Default Policy”,
“description”: “A policy that grants access only for users within this realm”,
“type”: “js”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“code”: “// by default, grants any permission associated with this policy\n$evaluation.grant();\n”
}
},
{
“id”: “c4ce02d8-cb2d-479f-ad22-82f092535b1b”,
“name”: “PolicyA”,
“type”: “user”,
“logic”: “POSITIVE”,
“decisionStrategy”: “UNANIMOUS”,
“config”: {
“users”: “["UserA"]”
}
},
{
“id”: “29f9ae37-afa9-4a98-864f-bc9f8dd7a783”,
“name”: “PermissionA”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“resources”: “["ResourceA"]”,
“applyPolicies”: “["PolicyA"]”
}
},
{
“id”: “3b71972f-3754-464d-99b6-f5c11e5962cc”,
“name”: “PermissionB”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“resources”: “["ResourceB"]”,
“applyPolicies”: “["PolicyB"]”
}
},
{
“id”: “3f21cf9d-f0b4-4b54-a3b9-5cbc4c1f060c”,
“name”: “Default Permission”,
“description”: “A permission that applies to the default resource type”,
“type”: “resource”,
“logic”: “POSITIVE”,
“decisionStrategy”: “AFFIRMATIVE”,
“config”: {
“defaultResourceType”: “urn:employee-rest-api:resources:default”,
“applyPolicies”: “["Default Policy"]”
}
}
],
“scopes”: [
{
“id”: “c14170f6-0ef7-416e-bde8-c394f6f3ed13”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:admindescription:view”
},
{
“id”: “1d88b211-7961-4a2b-bfae-696566366f1f”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:adusertype:view”
},
{
“id”: “bfa6a52a-46de-4e86-8c72-4ea738752cd0”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:accessRole:view”
},
{
“id”: “f646b5af-bcc4-42a5-b135-de5d0c78ac5b”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:address:view”
},
{
“id”: “50286c2a-b0b4-423b-ac99-9b7b64bdebee”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:authorizedAmount:view”
},
{
“id”: “08140d1b-1c51-4563-96c4-4f6a628e9933”,
“name”: “urn:generic-rest-api:scopes:employees:attribute:companyid:view”
}
],
“decisionStrategy”: “UNANIMOUS”
}