Unix Access Management

VAS allow and deny files - resolving conflicts

I am unhappy with the way that VAS resolves conflicts between the users.allow and users.deny files (and between <service>.allow and <service>.deny, where "per service access control" is used) when one of the files contains a user explicitly, and the other contains a group of which the user is a member.

The current rules are described at

https://support.oneidentity.com/technical-documents/authentication-services/4.2/administration-guide/32

The table says that, if a user is explicitly in users.allow, but is also in a group that is in users.deny, then access is ALLOWED (presumably on the principle that the explicit user specification is "more specific").

This goes against basic security principles.  A security product should "fail secure".  If there is a conflict between allowing or denying access, access should always be denied. regardless of whether the denial is being specified directly, or via membership of a group.

I would like the behaviour of the product to be changed.  I recognise that this might cause things to break that rely on the current behaviour.  This could be handled by proving a configuration option that controls whether the old or the new behaviour is used.

  • Hello, 

    Would it be possible to open a Support case so we can log this request through our normal channels? It is entirely possible we will have some follow-up questions as well.

    We also like to associate these requests with a support case so we can properly report and provide with a response from the product team. 

    Thank you,

    Leigh Grant