Consider effect equality

2 files changed, 4 insertions, 1 deletions

diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
index 3a42c0c6535..317229f9e9a 100644
--- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
+++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/integration/athenz/AthenzAccessControlService.java
@@ -165,6 +165,8 @@ public class AthenzAccessControlService implements AccessControlService {
 
     private AthenzAssertion getApprovalAssertion(AthenzRole accessRole) {
         var approverRole = new AthenzRole(accessRole.domain(), "vespa-access-approver");
-        return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members").build();
+        return AthenzAssertion.newBuilder(approverRole, accessRole.toResourceName(), "update_members")
+                .effect(AthenzAssertion.Effect.ALLOW)
+                .build();
     }
 }
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java
index cf6f40155fc..49cc31fe8c2 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/api/AthenzAssertion.java
@@ -39,6 +39,7 @@ public class AthenzAssertion {
     public boolean satisfies(AthenzAssertion other) {
         return role.equals(other.role()) &&
                 action.equals(other.action()) &&
+                effect().equals(other.effect()) &&
                 resource.equals(other.resource());
     }