6.8.3. Changing the Permission Combination Policy
The Permission Combination Policy determines how permissions are determined if a user is assigned more than one role. This can be set to
permissive
or rejecting
. The default is permissive
.
When set to
permissive
, if any role is assigned to the user that permits an action, then the action is allowed.
When set to
rejecting
, if multiple roles are assigned to a user, then no action is allowed. This means that when the policy is set to rejecting
each user should only be assigned one role. Users with multiple roles will not be able to use the Management Console or the Management CLI when the policy is set to rejecting
.
The Permission Combination Policy is configured by setting the
permission-combination-policy
attribute to either permissive
or rejecting
. This can be done using the Management CLI or by editing the server configuration XML file if the server is offline.
Procedure 6.3. Set the Permission Combination Policy
- Use the
write-attribute
operation of the access authorization resource to set thepermission-combination-policy
attribute to the required policy name./core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=POLICYNAME)
The valid policy names are rejecting and permissive.[standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=rejecting) {"outcome" => "success"} [standalone@localhost:9999 access=authorization]
If the server is offline the XML configuration can be edited to change the permission combination policy value. To do this, edit the
permission-combination-policy
attribute of the access-control element.
<access-control provider="rbac" permission-combination-policy="rejecting"> <role-mapping> <role name="SuperUser"> <include> <user name="$local"/> </include> </role> </role-mapping> </access-control>