From b5bca27c07eee7ce4795d6dde2c5c6f422869a30 Mon Sep 17 00:00:00 2001 From: Piotr Kazmierczak <470696+pkazmierczak@users.noreply.github.com> Date: Fri, 17 May 2024 17:40:12 +0200 Subject: [PATCH] docs: add a note to binding rules docs about multiple rules application (#20624) --- website/content/docs/concepts/acl.mdx | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/website/content/docs/concepts/acl.mdx b/website/content/docs/concepts/acl.mdx index aee744db8..784fbd5da 100644 --- a/website/content/docs/concepts/acl.mdx +++ b/website/content/docs/concepts/acl.mdx @@ -72,6 +72,13 @@ is directly related to a single auth method, and therefore only evaluated by login attempts using that method. All binding rules mapped to an auth method are evaluated during each login attempt. + + Binding rules are evaluated in no specific order, and should there be an + overlap in their selectors or scope, a "sum" of all the binding rules will be + applied, thus the least granular binding rules will always override the more + granular ones, as long as they apply to the same auth method and identity. + + A successful selector match between an SSO provider claim and a binding rule will result in the generated ACL token having the identified ACL role or policy assigned to it. If the `BindType` parameter is `management`, the ACL token