Understanding EEM Policy Precedence: Deny vs. Grant Behavior
search cancel

Understanding EEM Policy Precedence: Deny vs. Grant Behavior

book

Article ID: 402994

calendar_today

Updated On:

Products

Autosys Workload Automation

Issue/Introduction

This document clarifies the behavior of deny and grant policies within EEM (Embedded Entitlements Manager), specifically addressing the question of whether a deny policy consistently overrides a grant policy. The common assumption is that a deny policy should always take precedence over a grant policy.

Resolution

When comparing deny and grant policies in EEM, the outcome (deny or grant) depends on several factors beyond just the policy type. If all configurable parameters are equal between competing policies, then a deny policy will indeed take precedence over a grant policy. However, if these parameters are not equal, a grant policy might be applied instead of a deny.

Consider the following scenarios:

  1. "Use Best Match Algorithm" is Disabled:

    • If the "Use Best Match Algorithm" setting is disabled, and both a deny and a grant policy apply equally to the requested resource and identity, the deny policy will win.

  2. "Use Best Match Algorithm" is Enabled:

    • When "Use Best Match Algorithm" is enabled, EEM evaluates all applicable policies and selects the single policy that has the most matching characters (or the "best match") for the resource being accessed. This chosen policy (whether deny or grant) then dictates access.

  3. Example with "Use Best Match Algorithm" Enabled and Regular Expressions:

    • Grant Policy: Resource set to PRD.* with "Treat resource names as regular expressions" = OFF
    • Deny Policy: Resource set to PRD.* with "Treat resource names as regular expressions" = ON
    • Scenario: Attempting to access PRD.123
    • Outcome: The grant policy wins.
      • With "Treat resource names as regular expressions" OFF for the grant policy, PRD.* is interpreted as PRD followed by a literal dot (.) and then a wildcard (*). This matches the first 4 characters (PRD.) of PRD.123 more explicitly.
      • With "Treat resource names as regular expressions" ON for the deny policy, PRD.* is interpreted as PRD followed by any character (.) and zero or more occurrences of the previous character (*). In this context, it effectively matches only the PRD part as the . is a special regex character and the * applies to it. The match is effectively only 3 characters (PRD).
      • Therefore, the grant policy is considered a "better match" due to matching more specific characters.

  4. "Use Best Match Algorithm" is Disabled (Revisit):

    • If "Use Best Match Algorithm" is toggled off, EEM evaluates all matching policies. In the scenario from example 3 (where PRD.123 could potentially match both the grant and deny policies equally), the general rule applies: a deny policy will always beat a grant policy when they are equally applicable. In this case, the deny policy wins.
Powered by Wolken Software