.. _users_in_policies:

Users in policies
~~~~~~~~~~~~~~~~~
The user field in the policies need a deeper explanation.

Within the scope `admin`, `license`, `audit`  and `system` the user field is used to enter a list of administrator names.

In the scope `selfservice`, `authorization`, `enrollment` and `authentication` the user field can be used to specify users and resolvers.
Thus the user field can be used to split policies within realms by users or resolvers.

.. note:: When using the user field you should always define a certain realmname in the realm field and not use the `*` for the realms.

Users are specified with the normal username like::

   user1, user2, user3

Resolvers are specified with the name of the resolvers followed by a colon, to mark this as a resolver::

   resolvername1:, resolvername2:

.. note::

   It is also possible to mix users and resolvers like this::

       user1, resolvername1:, user2, user3

The policy logic works like this:

   1. If a policy in the scope is found for this very user, then this policy is applied 
      and all other policies in this scope not containig the user are ignored.

   2. The resolver of the user is determined. If a policy in the scope for this resolver is
      found, this policy is applied and the other policies are ignored for this user.

   3. If within this scope no policy with the very username and no policy with a resolver the
      user is in is found, than the policies containing no user entries are applied for this user.

Imagine a realm `realm1` with two resolvers `resolv1` and `resolv2`. There are four users, `user1a`,
`user1b` and `user1c` in `resolv1` and `user2` in `resolv2`.

The following policies are defined::

   [pol1]
   scope = selfservice
   action = webprovisionGOOGLE
   realm = realm1
   user = ""

   [pol2]
   scope = selfservice
   action = webprovisionGOOGLE, setOTPPIN
   realm = realm1
   user = user1a

   [pol3]
   scope = selfservice
   action = webprovisionGOOGLE, setOTPPIN, disable
   realm = realm1
   user = user1b, resolv2:

**pol1** will be applied for `user1c` as this policy does not define any user and as `user1c` or his resolver does not appear in any other policy.

**pol2** will be applied for `user1a` since this user is explicitly listed in the policy.

**pol3** will be applied for `user1b` as the user is listed in the policy and it will be applied for `user2` since the resolver of this user is listed in the policy.