6.8.3. Changing the Permission Combination Policy

The Permission Combination Policy determines how permissions are determined if a user is assigned more than one role. This can be set to permissive or rejecting. The default is permissive.
When set to permissive, if any role is assigned to the user that permits an action, then the action is allowed.
When set to rejecting, if multiple roles are assigned to a user, then no action is allowed. This means that when the policy is set to rejecting each user should only be assigned one role. Users with multiple roles will not be able to use the Management Console or the Management CLI when the policy is set to rejecting.
The Permission Combination Policy is configured by setting the permission-combination-policy attribute to either permissive or rejecting. This can be done using the Management CLI or by editing the server configuration XML file if the server is offline.

Procedure 6.3. Set the Permission Combination Policy

  • Use the write-attribute operation of the access authorization resource to set the permission-combination-policy attribute to the required policy name.
    /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=POLICYNAME)
    The valid policy names are rejecting and permissive.
    [standalone@localhost:9999 /] /core-service=management/access=authorization:write-attribute(name=permission-combination-policy, value=rejecting)
    {"outcome" => "success"}
    [standalone@localhost:9999 access=authorization]
    
If the server is offline the XML configuration can be edited to change the permission combination policy value. To do this, edit the permission-combination-policy attribute of the access-control element.
<access-control provider="rbac" permission-combination-policy="rejecting">
  <role-mapping>
    <role name="SuperUser">
      <include>
        <user name="$local"/>
      </include>
    </role>
  </role-mapping>
</access-control>