You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When multiple subject mappings exist for the same attribute value, and one mapping's condition fails to match (e.g., uses a selector that doesn't evaluate), it prevents OTHER mappings for that same value from granting access. Removing the non-matching mapping fixes the issue.
Steps to Reproduce
Create attribute value test_weight
Create mapping A: .preferred_username IN ["alice"] → test_weight (action: read)
Attempt decrypt as alice (whose preferred_username is "alice")
Expected Behavior
Mapping A should match (preferred_username = "alice") and grant access, regardless of whether mapping B matches or not. Multiple mappings for the same value should be evaluated independently.
Actual Behavior
The entitlement evaluation returns empty (Entitlements:map[]). Neither mapping grants access. Decrypt fails with permission_denied.
Proof That Mapping A Works Alone
Delete mapping B (the .sub one)
Retry decrypt as alice
Success — mapping A now evaluates correctly and grants access
Impact
This is critical for applications that evolve their subject mapping strategy. If old mappings with outdated selectors are left in the platform, they silently break working mappings for the same attribute values. There is no error message indicating which mapping or selector caused the failure — the audit log only shows Entitlements:map[].
Suggested Fix
Subject mappings for the same attribute value should be evaluated independently. A non-matching mapping should not affect the evaluation of other mappings. Consider:
Evaluating all mappings and granting access if ANY match (union semantics)
Or at minimum, logging which specific mapping/condition failed to help debugging
Description
When multiple subject mappings exist for the same attribute value, and one mapping's condition fails to match (e.g., uses a selector that doesn't evaluate), it prevents OTHER mappings for that same value from granting access. Removing the non-matching mapping fixes the issue.
Steps to Reproduce
test_weight.preferred_username IN ["alice"]→test_weight(action: read).sub IN ["alice-uuid"]→test_weight(action: read)(Note:
.subdoesn't evaluate in claims mode — see Subject mapping .sub selector doesn't match in claims ERS mode #3188)preferred_usernameis"alice")Expected Behavior
Mapping A should match (
preferred_username="alice") and grant access, regardless of whether mapping B matches or not. Multiple mappings for the same value should be evaluated independently.Actual Behavior
The entitlement evaluation returns empty (
Entitlements:map[]). Neither mapping grants access. Decrypt fails withpermission_denied.Proof That Mapping A Works Alone
.subone)Impact
This is critical for applications that evolve their subject mapping strategy. If old mappings with outdated selectors are left in the platform, they silently break working mappings for the same attribute values. There is no error message indicating which mapping or selector caused the failure — the audit log only shows
Entitlements:map[].Suggested Fix
Subject mappings for the same attribute value should be evaluated independently. A non-matching mapping should not affect the evaluation of other mappings. Consider:
Environment
claims