Description

By design, permissions are set with the decision strategy UNANIMOUS, by default. Just like other decisions made for FGAP v2, we wanted to start with hard constraints on the key aspects of the feature, mainly those that are related to how permissions are enforced and evaluated.

Based on the community feedback, the UNANIMOUS decision forces users and administrators to use aggregate policies whenever they want a permission to be granted if any of the associated policies grant access.

We should consider allowing setting the decision strategy on permissions, such as AFFIRMATIVE, so that administrators can opt in for how the decision should be made when evaluating the policies associated with the permission.

Value Proposition

Improve UX on FGAP v2 by allowing administrators to choose how the policies associated with a permission should be evaluated.

Goals

Improve UX on FGAP v2 by allowing administrators to choose how the policies associated with a permission should be evaluated.

Non-Goals

N/A

Discussion

#40965 (comment)

Notes

The fix should be about:

• Adding a Decision Strategy field to the Permission UI, similar to what we have for regular policies
• The UNANIMOUS decision strategy should still be the default
• Update the testsuite
• Update documentation