#all is a magic word that may be used on a policy to match all of the resources of that particular type
For example, on a service policy, I can include #all as a service role to match all services, or #all as an identity role to match all identities. #all doesn't make sense as a role attribute on a resource e.g. identity, service, or edge router; because it's implied i.e. all resources match #all when it is used on a policy, and adding #all to a resource must not effect a grant for all policies of a particular type to that resource, correct? Therefore, adding #all to a resource's role attributes never has any effect.
Therefore, adding #all to a resource’s role attributes never has any effect.
Correct. Adding all to a resource's role attributes has no effect
Would you also agree that #all only makes sense on a policy when there are no other role attributes because it overrides any other possible combination of role attributes?
Yes. Currently have #all means the policy will always match all related entities. It probably shouldn’t for policies with an AllOf semantic, but the expectation is that when using #all it will be the only role listed.
You explained that assigning #all to a resource has no effect because it wouldn’t matter what the assigned roles were if there was a policy with #all, but I wonder if maybe doing this should get a BAD REQUEST (400) response because it seems likely to cause confusion to have a meaningless attribute in place. As expected, the management API already responds 400 if I try to assign multiple roles to a policy including #all.