Sun Identity Manager Deployment Reference

Control Access to Rules that Reference More Secure Rules

Users can call, view, and modify the content of a secure rule if they have been given access to a rule that references that secure rule.

Identity Manager runs an authorization check in which a wrapper calls all of the users who have a right to edit that rule. Authorized users can use that rule to call other rules without further authorization checking, which can give them indirect access to secure rules.

When you create a rule that references a secure rule and give users access rights to the less secure rule, be careful that you are not inadvertently giving them inappropriate access to the secure rule.

Note –

To create a rule that references a more secure rule, you must control both organizations containing those rules. You also must have rights to run the first rule and call the secure rule.