If a user has multiple roles that have different authorization policies applicable in the same context, then the user’s access rights are the cumulative rights across those policies. For example, the authorization check for the permission to search for users returns a list of obligations. This is a list of obligations from each applicable authorization policy. These obligations from multiple policies are combined to get a unified search result.
The following types of obligations are returned as a result of multiple authorization policies:
- OrclOIMOrgScopingDirect: This is used to search the given entity for the intent-based search. This is supported only for view-search.
- OrclOIMOrgScopingWithHierarchy: This considers the hierarchy of the Admin Role organization scoping, and it can search entities in down hierarchy. This allows users to view and modify user profiles without approval as applicable for the organization in which the user has the appropriate admin role, and its suborganizations. This is controlled by the Hierarchy Aware data constraint.
- OrclOIMNeedApproval: This obligation defines if the authorization policies are applicable, then the operation requires approval or not. If the value of this flag is true, then a request is created. If the value is false, then it is a direct operation.
- OrclOIMUserManagementScoping: This is used for making the search criteria to search in the management chain of the user.
- OrclOIMDeniedAttributesWithoutApproval: This defines the obligation for the user attributes that are denied for modification without a request approval.
- OrclOIMDeniedAttributesDirect: This defined the obligation for the user attributes that are denied for the view user operation as a direct operation.
- OrclOIMDeniedAttributesWithApproval: This defines the obligation for the user attributes that are denied for modification with a request approval.
The following are examples of policy obligations returned as a result of multiple authorization policies:
- The user with role viewer admin role for an organization need approval to grant a role to the user. The role viewer can view all users in the organization with hierarchy as a result of OrgScopingWithHierarchy policy obligation. For the same organization, granting a role to a user is a direct operation for a user with the role authorizer admin role.
- Suppose there are two admin roles assigned to a user in the same organization scoping, User Viewer and User Administrator. When both the users try to modify a user, the first admin role policy returns approval-required, and other policy returns that approval is not required. As a result, no request would be raised, and the cumulative effect of two approval-required obligations is NO-approval required.
- As a result of the OrgScopingDirect policy obligation, a user with the role authorizer admin role can view all users in an organization. The same user with role authorizer admin role can be denied modifying a few attributes by the DeniedAttributesWithApproval policy obligation, and as a result, the attributes are not displayed to the user.
- Suppose a user is a Role Viewer in Org1 and Role Authorizer in Org2. Then if the user searches for the roles, then the obligation returned from policy1 is OrgScopingDirect = org1 and OrgScopingDirect = org2. Therefore, roles will be returned from both the organizations.