When you create a business policy rule, specify the type of rule you want to create in the Type field of the rule creation wizard.
Together, the rule type and the restriction type define the rule logic.
The following types of rule are available:
Roles that include specified resources solely/must/must not/may/can only include specified resources.
This rule corresponds to the resource.resource.byRole rule type in the Client Tools.
Users that can access specified resources solely/must/must not/may/can only access other specified resources.
This rule corresponds to the resource.resource.byUser rule type in the Client Tools.
Roles that include specified roles solely/must/must not/may/can only include specified resources.
This rule corresponds to the resource.role.byRole rule type in the Client Tools.
Users that can access specified roles solely/must/must not/may/can only access specified resources. For example, users with the Research or IT role must have access to the Unix Admin resource.
This rule corresponds to the resource.role.byUser rule type in the Client Tools.
Roles that include specified roles solely/must/must not/may/can only include other specified roles. For example, roles that include the Purchasing role cannot include the Finance role.
This rule corresponds to the role.role.byRole rule type in the Client Tools.
Users that can access specified roles solely/must/must not/may/can only access other specified roles. For example, only users with the Manager or Sys Admin roles can have the Database Creator or Database Editor roles.
This rule corresponds to the role.role.byUser rule type in the Client Tools.
Use this rule to segregate duties. You specify a set of resources and a target amount of resources. Each user must have more than/exactly/less than the specified number of resources from the specified set of resources.
This rule corresponds to the segregation.role rule type in the Client Tools.
Use this rule to segregate duties. You specify a set of roles and a target number of roles. Each user must have more than/exactly/less than the specified number of roles from the specified set of roles. For example: define a set that includes all roles that let users approve purchases. You can then restrict the number of these roles that users can have simultaneously.
This rule corresponds to the segregation.role rule type in the Client Tools.
Users with specified attribute values solely/must/must not/may/can only access specified resources.
This rule corresponds to the user.attribute.resource rule type in the Client Tools.
Users with specified attribute values solely/must/must not/may/can only access specified roles. For example, the Marketing_Paris role can only be given to users with the Location attribute equal to France and the Organization attribute equal to Sales.
This rule corresponds to the user.attribute.role rule type in the Client Tools.
Users with specified attribute values solely/must/must not/may/can only access roles with specified attribute values. For example, only users with the Company attribute equal to Temporary are assigned all roles with the organization attribute equal to Subcontractors.
This rule corresponds to the user.attribute.role.attribute rule type in the Client Tools.
Use this rule to select user attribute values. You can define a range of test restrictions on attribute values that check for null values, numerical and date ranges, and text patterns.
This rule corresponds to the user.attribute.value rule type in the Client Tools.
The number of users with the specified resources must be more than/less than/exactly/unequal to the specified numerical limit. When you specify the forbidden value restriction, the rule limits the number of users that may not have the specified resources - all other users must have these resources.
This rule corresponds to the user.count.resource rule type in the Client Tools.
The number of users with the specified roles must be more than/less than/exactly/unequal to the specified numerical limit. When you specify the forbidden value restriction, the rule limits the number of users that may not have the specified roles - all other users must have these resources.
This rule corresponds to the user.count.role rule type in the Client Tools.
|
Copyright © 2014 CA.
All rights reserved.
|
|