Hi Shivam,
PFB my response (based on my understanding).
Query 1: Which role will siteminder take into account to authorize the user? Is it based on order? How can I consistently maintain the order as if we modify any role, the order changes on its own.
As per my understanding, it depends on the the order in which the Roles (In this case, Role X and Role Y) has been added.
Note : Here order does not represents the sequence which is displayed on the WAMUI (as we can sort it either ascending/descending). It denotes which Role has been added first.
From my tests, I found that recently added Role/Group will be checked first. So, per my understanding, it follows Stack approach (Last In, First Out)
Query 2: How can we figure out what role has been taken into account to authorized the user? (Any custom logic or java code to figure out this part)
I am not sure if there is any custom logic (or) java, but you can easily find which role has been used from the policy server profiler logs.
For Instance:
Consider the following simple example.
Az groups are added in the following order : Group1, Group2 and Group3
User1 is a member of Group1 and Group 2
Policy Server Profiler Logs:
[10/16/2018][16:30:04.545][16:30:04][13704][17940][SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group3,ou=Groups,o=dkuserstore,c=India', Filter: 'member=cn=User1,ou=NormalUsers,ou=Users,o=dkuserstore,c=India'. Status: 0 entries][][Ldap SearchCount callout succeeds.]
[10/16/2018][16:30:04.545][16:30:04][13704][17940][SmDsLdapProvider.cpp:2624][CSmDsLdapProvider::SearchCount][][][][][][][][][][][][][][][][][][][(SearchCount) Base: 'cn=Group2,ou=Groups,o=dkuserstore,c=India', Filter: 'member=cn=User1,ou=NormalUsers,ou=Users,o=dkuserstore,c=India'. Status: 1 entries][][Ldap SearchCount callout succeeds.]
Result:
Group3 is checked first as it is the last added group.
User1 is authorized using Group2.
Thanks.
Regards,
Dhilip