When Access Gateway discovers a rule in an Authorization policy that either permits or denies a user access to a protected resource, it stops processing the rules in the policy. Use the following guidelines in determining whether your Authorization policy needs multiple rules:
If the policy enforces multiple access requirements that can result in differing actions (either permit or deny), use separate rules to define the conditions and actions.
If you want other conditions or actions processed when a rule fails, you must create a second rule for the users that fail to match the conditions.
If you create multiple rules, you can modify the order that the rules are processed. This allows you to create policies that contain a number of Permit rules that allow access if the user matches the rule. The lowest priority rule in such a policy is a Deny rule, which denies access to everyone who has not previously matched a Permit rule.
IMPORTANT:If you create policies with multiple Permit rules, you must make the last rule in the policy a generic deny policy (a rule with no conditions and with an action of deny). This ensures that if Result on Error Condition in a rule is set incorrectly, the user matches the last rule and is denied access. Without this rule, a user might gain access because the user did not match any of the rules.
You can create a number of policies and enable multiple policies for the same protected resource. Rule priority determines how the enabled policies interact with each other. The rules in the policies are gathered into one list, then sorted by priority. The processing rules are applied as if the rules came from one policy. It is a personal design issue whether you create a policy with multiple rules or create multiple policies that you enable on a single protected resource. Either design produces a list of rules, sorted by priority, that is applied to the user requesting access to the protected resource.