11.8.3. Changing the Permission Combination Policy

Permission Combination Policy determines how permissions are determined if a user is assigned more than one role. This can be set to permissive or rejecting. The default is permissive.
When set to permissive, if any role is assigned to the user that permits an action, then the action is allowed.
When set to rejecting, if multiple roles are assigned to a user that permit an action, then the action is not allowed.
When the policy is set to rejecting each user should only be assigned one role. Users with multiple roles will not be able to use the management console or jboss-cli.sh tool when the policy is set to rejecting.
The Permission Combination Policy is configured by setting the permission-combination-policy attribute to either permissive or rejecting. This can be done using the jboss-cli.sh tool or by editing the server configuration XML file if the server is off-line.

Procedure 11.3. Set the Permission Combination Policy

  • Use the write-attribute operation of the access authorization resource to set the permission-combination-policy attribute to the required policy name.
    /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=POLICYNAME)
    The valid policy names are rejecting and permissive.
    [standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=rejecting)
    {"outcome" => "success"}
    [standalone@localhost:9999 access=authorization] 
    
    
If the server is off-line the XML configuration can be edited to change the permission combination policy value. To do this, edit the permission-combination-policy attribute of the access-control element.
<access-control provider="rbac" permission-combination-policy="rejecting">
  <role-mapping>
    <role name="SuperUser">
      <include>
        <user name="$local"/>
      </include>
    </role>
  </role-mapping>
</access-control>