11.8.3. Changing the Permission Combination Policy
Permission Combination Policy determines how permissions are determined if a user is assigned more than one role. This can be set to
permissive
or rejecting
. The default is permissive
.
When set to
permissive
, if any role is assigned to the user that permits an action, then the action is allowed.
When set to
rejecting
, if multiple roles are assigned to a user that permit an action, then the action is not allowed.
When the policy is set to rejecting each user should only be assigned one role. Users with multiple roles will not be able to use the management console or
jboss-cli.sh
tool when the policy is set to rejecting
.
The Permission Combination Policy is configured by setting the
permission-combination-policy
attribute to either permissive
or rejecting
. This can be done using the jboss-cli.sh
tool or by editing the server configuration XML file if the server is off-line.
Procedure 11.3. Set the Permission Combination Policy
- Use the
write-attribute
operation of the access authorization resource to set thepermission-combination-policy
attribute to the required policy name./core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=POLICYNAME)
The valid policy names are rejecting and permissive.[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=rejecting) {"outcome" => "success"} [standalone@localhost:9999 access=authorization]
If the server is off-line the XML configuration can be edited to change the permission combination policy value. To do this, edit the
permission-combination-policy
attribute of the access-control element.
<access-control provider="rbac" permission-combination-policy="rejecting"> <role-mapping> <role name="SuperUser"> <include> <user name="$local"/> </include> </role> </role-mapping> </access-control>