Question:
I'd like to know how Policy Server searches the membership of a user
to determine if a specific policy applies or not. You're interested to
know the order of the group search done when multiple groups are bound
to a policy ?
Answer:
Out of the box, at authorization phase the user is searched in all the
group memberships which are added in policy, Policy Server won't
follow any order while searching for user. User searching in groups is
thus random. Once the user is found in one group then Policy Server
stops search. The User search doesn't follow the as per the order
given in the AdminUI.
This behavior will be seen in both ldap and odbc stores.
KB : KB000120651