Hello! Recently I've found out a bug in dynamic roles evaluation. Prerequisites:
1. Clean ISIM 6.0.2.4
2. Two dynamic roles specified. One of them has 1) multi-valued attribute 2) with unicode characters 3) and substring match. Second role for controle.
For example:
"Test role 1" with filter "(&(title=superhero)(erAliases=雪*))"
"Test role 2" with filter "(title=superhero)"
When a user is created with attributes, matching both roles (title=superhero, erAliases=雪風), only Test role 2 is assigned to user. If a user is modified, it still does not assign Test role 1.
A user can be found in User management, if the filter from Test role 1 is copied to Advanced user search.
Only modifyind the role itself does include the user into that role.
Moreover, if a user with said attributes has already been in role and user is modified - the role disappears.
As the whole provisioning policies mechanism can rely on dynamic roles, I consider such behaviour a significant security impact.
------------------------------
Amogh Blue
------------------------------