// JWT. This is a MinIO STS API specific value, this value
		// should be set and configured on your identity provider as
		// part of JWT custom claims.
		policySet, ok := policy.GetPoliciesFromClaims(claims, iamPolicyClaimNameOpenID())
		policies := strings.Join(policySet.ToSlice(), ",")
		if ok {
			policyName = globalIAMSys.CurrentPolicies(policies)
		}

		if newGlobalAuthZPluginFn() == nil {

			iamLogIf(GlobalContext, err)
			return false
		}

		// Finally, if there is no parent policy, check if a policy claim is
		// present.
		if len(svcPolicies) == 0 {
			policySet, _ := policy.GetPoliciesFromClaims(args.Claims, iamPolicyClaimNameOpenID())
			svcPolicies = policySet.ToSlice()
		}
	}

	// Defensive code: Do not allow any operation if no policy is found.
	if !isOwnerDerived && len(svcPolicies) == 0 {

		// For derived credentials, check the parent user's permissions.
		accountName = cred.ParentUser
	}

	roleArn := policy.Args{Claims: cred.Claims}.GetRoleArn()
	policySetFromClaims, hasPolicyClaim := policy.GetPoliciesFromClaims(cred.Claims, iamPolicyClaimNameOpenID())
	var effectivePolicy policy.Policy

	var buf []byte
	switch {
	case accountName == globalActiveCred.AccessKey || newGlobalAuthZPluginFn() != nil: