If a user is allowed by the allow file and denied by the deny file (either directly or indirectly) the inconsistency must be resolved.
As a quick rule of thumb, precedence is given to the more specific user reference. The precedence is as follows: UPN listed, group listed, OU listed, and domain listed. If there’s a tie between users.allow and users.deny, users will be denied access. In the following table, the columns represent users.deny and the rows represent users.allow.
USERS.DENY | |||||||
NO FILE | USER | GROUP | OU | DOMAIN | NOT | ||
USERS.ALLOW | No File | A | D | D | D | D | A |
User | A | D | A | A | A | A | |
Group | A | D | D | A | A | A | |
OU | A | D | D | * | A | A | |
Domain | A | D | D | D | D | A | |
Not | D | D | D | D | D | D |
Table 1: Rules for System Access
Please see page 131 of the QAS_Solutions.pdf or page 62 of the AuthenticationServices_4.0_AdminGuide.pdf for additional information.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center