How combined security rules are evaluated

It is important to understand how RESTRICT rules and EXTEND rules are combined.

Many administrators assume that the EXTEND rule is evaluated after the RESTRICT rule, like this:

If ((RBS=True AND RESTRICT_RULE_RESULT=True) OR 
EXTEND_RULE_RESULT=True), then grant access

The result would be that a user gets access in the following scenarios:

Role-based security is granted and the RESTRICT rule result is true, OR
The EXTEND rule result is true.

But this is not the case. Each rule is evaluated within the context of role-based security, and then an OR condition is applied:

Let's expand on this example to more clearly see the potential misunderstanding. Suppose that you have a user with the following set of circumstances:

Role-based security access is granted to the user
The RESTRICT rule for this user evaluates to FALSE
The EXTEND rule for this user evaluates to FALSE

Using the formula from the assumed behavior the result of this scenario would be False:

((RBS=True AND RESTRICT_RULE_RESULT=True) OR EXTEND_RULE_RESULT=True) =
((True=True AND False=True) OR False=True) =
((True AND False) OR False) =
(False OR False) =
(False)

However, the formula that is actually being used is:

(RBS=True AND RESTRICT_RULE_RESULT=True) OR (RBS=True OR EXTEND_RULE_RESULT=True) =
(True=True AND False=True) OR (True=True OR False=True) =
(True AND False) OR (True OR False) =
(False OR True) =
(True)

Therefore, access would be granted for this user.

It is critical to understand how security rules work in combination with each other before you design your security framework. Incorrect assumptions on behavior can lead to insecure models.