I currently have a Realm tied to a policy
mydomain.com/realm1 ----> tied to Policy 1
I then made a sub-realm
mydomain.com/realm1/subrealm1 ---> the sub realm is tied to Policy 2
When a user goes to "mydomain.com/realm1/subrealm1", do they have to qualify for both Policy 1 and Policy 2?
Or will only the Policy 2 check be run? What I want is for only Policy 2 to be checked, but I don't think that is happening. I want a group of users to have access to just the sub-realm and NOT the parent realm.
Is that possible?
For the nested realm, the user need to qualify policy tied to all the parent realm as well beside it's own realm.
Let's illustrate this a bit further.
So your use case is :
Realm 1 : /parent/ ,
Policy : Allow user : user1
Sub Realm : /parent/child/
Policy : Allow user : user 2
Here, user2 will NOT be authorized for the sub realm as it is NOT authorized for the parent realm which will be checked first.
However, you can achieve this by having two independent realm like this :
Realm2 : /parent/child/
In this case, Policy server will match the realm with the more specific resource filter, as such it will evaluate only Realm 2 and the user2 will be authorized for the /parent/child/ resource.
Hope this helps.
Thank you, answered my question!