Wehave several realm level HC policies, most for end users but one for IT which is different than those of end users. At the top level of the realm HC is set to eval all of the policies which is how it is supposed to be setup, and then at the user group for IT we have just the HC policy that applies to IT set as a enforce.
In the role mapping, we have the IT group listed and then set to STOP processing rules. However we see that HC is applying and enforcing a role ontot he IT group that doesnt even apply. Any ideas?
When you refer to a role being applied that is not for the IT group, do you mean users are mapping unexpectedly to a role OR that Host Checker is running ALL policies for all users on the realm?
If the latter, this is correct: Host Checker must evaluate for all connections, there is no "stopping" the evaluation process.
For the role mapping, do you have the IT role as the first evaluation and then a stop?
Please note that HC is just a tool that is checking your client for several configurations to be in place :
- if you have the right AV
- if your part of a domain and so on
At realm level you can set them to evaluate but the purpose of this is to later use the results this host checker evalutions (wether they are successful or not does not matter) for either :
- role mapping (via custom expressions)
- restrictions on getting a role are not
- restrictions to a specific resource.
I hope this helps.
A policy trace should tell us the exact HC policies and roles that are being applied. I believe it should help atleast narrow down the issue.