I am trying to implement some kind of global admin role that grants
access rights to all scopes within a resource.
What I did is the following:
- Defined a permission with a group policy on the resource (Admin)
- Defined a permission with a user policy on one specific scope e.g.
view. (normal user)
The problem that arises is, while evaluating the polices, the global
group policy always overwrites the decision from the group policy.
Therefore the user will always be denied access, even though one
permission grants access.
Can I change this behavior to make the accumulated result "PERMIT"
instead of "DENY"?
Show replies by date