Configuration GuideSiteMinder IntegrationSiteMinder OperationsHow to Configure Access RolesAccess Roles in SiteMinder › Exclude Roles in a Policy

Previous Topic: Add Roles to a SiteMinder Policy

Next Topic: Configure the LogOff URI
Exclude Roles in a Policy

In addition to using access roles to grant access to applications, you can also use access roles to prevent members of access roles from accessing an application. To prevent access role members from accessing an application, you exclude the roles from SiteMinder policies. When a user who has been assigned the excluded access role in Identity Manager tries to access a protected resource, the Policy Server verifies that the user has been assigned the excluded Identity Manager role, and blocks access to the resource.

To exclude Identity Manager roles from a policy

  1. In the SiteMinder Policy dialog, click the Users tab.

    The Users tab contains tabs for each user directory and Identity Manager Environment included in the policy domain.

  2. Click the Identity Manager Environment that contains the roles you want to exclude from your policy.
  3. Click the Add/Remove button.

    The SiteMinder Policy Identity Manager Role dialog opens.

  4. To add roles to the policy, select an entry from the Available Members list and click on the Left Arrow button, which points to the Current Members list.

    The opposite procedure removes roles from the Current Members list.

  5. In the Current Members list, select the roles you want to exclude, and click the Exclude button located under the list.

    A red circle with a slash appears to the left of the excluded roles.

  6. Click OK to save your changes and return to the SiteMinder Policy dialog.