Access Resolution and Prioritization

When a user has access to the same resource through multiple safes or group assignments, Fudo Enterprise determines the access path based on a defined priority and set of rules. This ensures predictable and secure access behavior in complex permission scenarios.

User Belongs to Multiple Groups Assigned to the Same Safe and Resource

../../_images/rbac_groups_conditions_1.png

If a user is a member of two or more groups that are assigned to the same safe and resource, the following rules apply:

  • Password Reveal: If the password reveal option is enabled in at least one of the groups, the user will be able to view the password for the entire safe.

  • Access Time Period: If validity time frames are configured for both groups, Fudo Enterprise checks whether the current time is within the allowed range for each group. If the condition is met in at least one group, the session is allowed.

  • Daily Access Policy: If user has time policy enabled, Fudo Enterprise evaluates the time policies from all applicable groups. If the user is within the allowed time frame in any group, the session is permitted.

User Belongs to Multiple Groups Assigned to Different Safes with the Same Resource

../../_images/rbac_groups_conditions_2.png

When a user can access the same resource through multiple safes via different groups, the resolution follows this logic:

  • Access Time Period: If the current time falls within the validity range of Group A, it is used. Otherwise, Group B is evaluated. If neither group has validity restrictions, the system selects the first group in alphabetical order.

  • Daily Access Policy: If both groups have a daily time policy enabled, Fudo Enterprise checks which group allows access at the current time. Access is granted based on the first group in alphabetical order whose time policy includes the current time or that has no policy configured.

User Has Both Direct and Group-Based Access to the Same Safe and Resource

../../_images/rbac_groups_conditions_3.png

If a user has a direct assignment to a safe and group-based access to the same safe and resource, direct access takes priority. All settings such as Blocked, Reveal Password, Access Time Period, and Daily Access Policy are taken from the direct user-safe assignment and override any group-based rules.

User Has Access to the Same Resource via Direct Safe Assignment and Group-Based Assignment Through a Different Safe

../../_images/rbac_groups_conditions_4.png

In cases where the user has access to the same resource:

  • Directly through a safe, and

  • Indirectly through a group assigned to a different safe,

Fudo Enterprise will always use the direct connection. The evaluation skips group-level assignments and uses the direct safe connection for access control.

User Has Access to the Same Resource Through Two Safes with Different Positions

../../_images/rbac_groups_conditions_5.png

In this scenario, the user has access to the same resource through two different safes. One safe is assigned position 1, and the other position 2.


Since position values determine preference, the system will always use the safe with the higher position number—in this case, the one with position 1.

Note

  • First, Fudo Enterprise checks if the user has a direct assignment to the safes. If so, group-based assignments are ignored entirely.

  • Then, among all available direct connections, Fudo Enterprise evaluates the position attribute and selects the safe with the highest position value.


Related topics: