I’ve setup Authorization with some resources which should be managed by owners. I want to deny access to these resources if an attribute is not present. I’ve setup a JS policy to check the resource attribute and a permission to bind the resource.
The general setting is to enforce policies in unanimous (I’ve only one premission defined in admin console).
If the owner of the resource does not have the required attribute he will be denied as expected but if the owner shares the resource (creating an UMA permission ticket) the user with the shared resource has access granted althought the policy on the attribute denies access.
It seems to me that permission tickeks (UMA) are evaluated on their own and not with the averall policies.
Is that correct?