lmontrieux
commented
10 years ago On second thought, this should not raise an error, but a warning. Indeed, SSoD implies DSoD. In the scenario above, the policy is not incorrect, but the DSoD declaration is redundant.
There should not be both an SSoD and a DSoD constraint between the same two roles. For example:
ssod{(Role1 Role2)} dsod{(Role1 Role2)}Doesn't make much sense (dsod doesn't add anything). An error should be raised. Since it is the dsod constraint that is superfluous, it is where the error should appear.