How does the rule interpreter process ROLESET rule entries? Is possible to use a "blocking rule line" to stop the interpreter from proceeding down the rule set looking for a match?
During access validation on a Roleset rule, the first role in the list is used for rule validation. If access is denied, the next role in the list is selected and the rule validation is re-driven. This process continues until access is allowed or the user’s list of roles is exhausted.
USER001 belongs to ROLE1, ROLE2 and ROLE3:
ROLE1 LAST CHANGED BY SYSA002 ON 03/29/19-14:25
INCLUDE(USER001 USER008 USER009) ROLE
ROLE2 LAST CHANGED BY SYSA002 ON 03/29/19-14:25
INCLUDE(USER001 USER002 USER003) ROLE
ROLE3 LAST CHANGED BY SYSA002 ON 03/29/19-14:25
INCLUDE(USER001 USER004 USER005) ROLE
The following ROLESET rule is in place
P-.- ROLE(ROLE3) READ(A) EXEC(A)