How does policy ordering work ? #9358

paulchabanon · 2024-04-19T19:05:15Z

paulchabanon
Apr 19, 2024

Hello,

I am currently testing Authentik on my server and I really like it!
Big props to all the team !

I have been doing a bit of testing and there is some fundamental logic that I seem to miss.
Here is my case:

I followed the instructions at the bottom of this page https://docs.goauthentik.io/integrations/sources/google/ to do the username mapping and it works like a charm but, I am wondering what is going on when they are multiple policies conditioning a stage.

I have here two policies with orders 0 and 1.

Here is the corresponding diagram:

I was expecting a "first matched" policy system, especially because I have selected "any" for the policy matching option in the stage binding, which I understand as: if the first policy doesn't match the second is tried, then the third, and so on.
But, in the diagram my policies appear on the same "level" (or hight) which I found confusing.
I don't really understand why that is and why they are both connected to the flow start.

My tests seam to show that, because default-source-enrollment-if-username is "order 1", it appears to be never evaluated.
In the diagram we can see that non of the outputs of dz-google-sso-username-mapping-policy are going back to default-source-enrollment-if-username. Is their even a scenario where default-source-enrollment-if-username is evaluated ?

Thank you in advance for those clarifications.

Answered by aureateflux

Jun 12, 2024

You've probably figured this out by now, but I wanted to reply to this because I found your post while I was trying to figure out a similar problem.

Your assumptions aren't that far off-- the two Policy Engine options change the behavior of the policy check. "Any" should execute the stage if any single bound, enabled policy matches, while "All" should execute the stage only if every bound, enabled policy matches.

The problem is that they're .. mislabeled. Currently (June 12, 2024), if you want the "any" behavior, you have to select "all," and vice versa.

Hope this helps!

View full answer

aureateflux · 2024-06-12T06:01:44Z

aureateflux
Jun 12, 2024

You've probably figured this out by now, but I wanted to reply to this because I found your post while I was trying to figure out a similar problem.

Your assumptions aren't that far off-- the two Policy Engine options change the behavior of the policy check. "Any" should execute the stage if any single bound, enabled policy matches, while "All" should execute the stage only if every bound, enabled policy matches.

The problem is that they're .. mislabeled. Currently (June 12, 2024), if you want the "any" behavior, you have to select "all," and vice versa.

Hope this helps!

1 reply

paulchabanon Jun 17, 2024
Author

Thank you for those clarifications ;)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

How does policy ordering work ? #9358

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

How does policy ordering work ? #9358

Uh oh!

paulchabanon Apr 19, 2024

Replies: 1 comment · 1 reply

Uh oh!

aureateflux Jun 12, 2024

Uh oh!

paulchabanon Jun 17, 2024 Author

paulchabanon
Apr 19, 2024

Replies: 1 comment 1 reply

aureateflux
Jun 12, 2024

paulchabanon Jun 17, 2024
Author