Currently, bypass attributes are evaluated before permissions. However, this approach is problematic for installations seeking to reduce or eliminate their dependency on bypass attributes in that it imposes unnecessary manual research upon the security administrator to see if existing permissions may address the security requirements.
I would like to have an option to change the order of evaluation such that bypass attributes are evaluated after permissions.
In this scenario, if no permit is found that would grant the access, but where a bypass attribute associated with the accessor ID is applicable, TSSUTIL would report "OK+B" as it does today. Alternatively, if a permit is found which denies the access requested, but where a bypass attribute associated with the user provides access, TSSUTIL would report "OK+x" ("x" to be determined by CA Technologies).
This approach will permit an installation to gather the information necessary to reduce or eliminate its dependency on bypass attributes.
John P. Baker