I was testing out the applications in Access and wanted to set up OTP to access one of my docker instances on my home server. I wanted access to only myself and partner so set up an access group with had INCLUDE and our two emails. I then assigned the group to the application as INCLUDE.
As a test, I requested a OTP via another email I have not on that list and the code was sent and I was able to login. I changed the group to REQUIRE which is all I want but the policy still needs me to have at least one INCLUDE.
I don’t understand why having only INCLUDES effectively makes the policy null. I would think that you should have at least one REQUIRE rather than INCLUDE?