The Access Control Context options are present as a panel for each Context when opening the Session Properties dialog. This panel allows ZAP users to define the Access Rules for each User of each Context.
As mentioned on the concepts page, ZAP is making use of the tree-based structure of URLs. So, when configuring the access rules, only 1 rule needs to be set explicitly for an entire subtree, while for the other nodes rules are inferred. Three possible values can be set for any node in Context for each User:
By default, the rules for any node has an Inherited value and the root node has a value of Unknown . Thus, for any node without a parent with an explicitly configured rule, the inferred rule will default to Unknown.
|Access Control Testing concepts
|for a short introduction to Access Control Testing