Resolving Conflicting Authorizations

The Authorization Manager treats duplicate authorizations being created for a given role through means mentioned in Preventing Conflicting Authorizations. However as a user may be mapped to two or more different roles, the authorization manager still needs to resolve potential conflict.

The Definitive Authorizations of users are compiled as the sum of all authorizations of the roles to which that user is mapped (either directly or through a group membership). If any role to which a user is mapped is permitted to access a piece of information, then the user is permitted to access that information. This is true even if another role to which the user is mapped does not have access to that information.

In other words, a user can access information whenever that access is allowed by at least one of the roles to which he/she is mapped.