Hi Phillips,
That's right.
For the nested realm, the user need to qualify policy tied to all the parent realm as well beside it's own realm.
Let's illustrate this a bit further.
So your use case is :
Realm 1 : /parent/ ,
Policy : Allow user : user1
Sub Realm : /parent/child/
Policy : Allow user : user 2
Here, user2 will NOT be authorized for the sub realm as it is NOT authorized for the parent realm which will be checked first.
However, you can achieve this by having two independent realm like this :
Realm 1 : /parent/ ,
Policy : Allow user : user1
Realm2 : /parent/child/
Policy : Allow user : user 2
In this case, Policy server will match the realm with the more specific resource filter, as such it will evaluate only Realm 2 and the user2 will be authorized for the /parent/child/ resource.
Hope this helps.
Regards,
Ujwol