The following order is used to determine role based authorization:
If the user is authorized, the search terminates and authorization is granted.
If the user is excluded, the user is declined access to the resource.
If the user is in an authorized group:
Check if the role is a member of the authorized group.
If this check succeeds, check if the role is a member of an excluded group list—if not, grant access to the resource.
Excluded lists simplify the task of granting authorization to a small number of users by denying access to the users based on their user names and not the authorized groups to which they belong when using group-based authorization.
If a user is a member of an excluded user or group list,
EAServer does not invoke the Role Service (CtsSecurity/RoleService)
if defined for that server.
